interfaces (MACsec for MX Series)
Syntax
interfaces interface-name { connectivity-association connectivity-association-name; unit unit-number { connectivity-association connectivity-association-name; } }
Hierarchy Level
[edit security macsec]
Description
Applies the specified connectivity association to the specified interface to enable MACsec.
One connectivity association can be applied to multiple interfaces.
You must always use this statement to apply a connectivity association to an interface to enable MACsec. You must complete this configuration step regardless of whether MACsec is enabled using static connectivity association key (CAK) security mode or static secure association key (SAK) security mode.
If you are enabling MACsec using static SAK security mode and need to configure MACsec on inbound and outbound traffic on the same interface, you must configure a connectivity association with one secure channel for inbound traffic and a second secure channel for outbound traffic. The connectivity association is then applied to the interface using this statement to enable MACsec for traffic entering and leaving the interface.
Starting in Junos OS Release 16.1R2, when Media Access Control Security (MACsec)
is enabled on an interface, the interface flow control capability is enabled by default,
regardless of the configuration that you set using the (flow-control | no-flow-control)
statement at the [edit interfaces interface- name gigether-options]
hierarchy level. When MACsec is disabled, interface flow control is restored to the configuration
that you set using the flow-control
statement at the [edit interfaces]
hierarchy level. When MACsec is enabled, additional header bytes are added to the packet
by the MACsec PHY. With line rate traffic, when MACsec is enabled and flow control is disabled,
the pause frames sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port
Gigabit Ethernet MICs on MX Series routers) and not transferred to the Packet Forwarding Engine,
causing framing errors. Therefore, when MACsec is enabled on an interface, flow control is
also automatically enabled on such an interface.
Default
Interfaces are not associated with any connectivity associations, by default.
Options
connectivity-association connectivity-association-name |
Specify the connectivity association to assign to the interface. A connectivity association is a set of MACsec attributes that are used by interfaces to create secure inbound and outbound channels for encrypted traffic. |
unit unit-number |
Applies the specified connectivity association to a logical interface. |
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1.
Support for unit
option introduced in Junos OS Release 19.3 for MPC7E-10GE
line cards.