Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

security-mode

Syntax

Hierarchy Level

Description

Configure the MACsec security mode for the connectivity association.

To enable MACsec on a switch-to-host link, you must use dynamic connectivity association key (CAK) mode. For links that connect switches or routers—switch-to-switch, switch-to-router, or router-to-router—you can use static CAK mode or dynamic CAK mode.

Note:

Dynamic CAK mode is not supported on logical interfaces.

Options

security-mode

Specifies the MACsec security mode. Options include:

  • dynamic—Dynamic CAK mode.

    You can use dynamic CAK mode on switch-to-host links as well as links that connect switches or routers. Dynamic CAK mode relies on 802.1X authentication with EAP-TLS. Public key infrastructure is also required for certificate validation.

  • static-cak—Static CAK mode.

    You can use static CAK mode on links that connect switching devices. In static-cak mode, the CAK must be manually configured on both peer nodes of the point-to-point MACsec link.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 13.2X50-D15.

The dynamic security mode option was introduced in Junos OS Release 14.1X53-D10.

Related Documentation