security-association
Syntax
security-association security-association-number {
key key-string;
}
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name secure-channel secure-channel-name]
Description
Specifies the number of one of the security associations in the secure
channel when MACsec is enabled using static secure association key (SAK) security mode. Because
SAKs are created by the key server when MACsec is enabled using static connectivity association
key (CAK) security mode, the security-association statement is not used when enabling
MACsec using static CAK security mode.
You must configure at least two security associations to enable MACsec using static SAK security mode. MACsec initially establishes a secure connection when a security association number and key match on both ends of an Ethernet link. After a certain number of Ethernet frames are securely transmitted across the Ethernet link, MACsec automatically rotates to a new security association with a new security association number and key to maintain the secured Ethernet link. This rotation continues each time a certain number of Ethernet frames are securely transmitted across the secured Ethernet link, so you must always configure MACsec to have at least two security associations.
Default
No security keys are configured, by default.
Options
| security-association-number | Specifies the security association number and creates the SAK. The security association number is a whole number between 0 and 3. You can configure two security associations in a secure channel when enabling MACsec using static security keys. |
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 13.2X50-D15.