Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

should-secure

Syntax

Hierarchy Level

Description

Configure the should-secure statement to enable fail open mode for Media Access Control Security (MACsec). Fail open mode ensures that traffic continues to flow if the MACsec Key Agreement (MKA) session is not established.

When should-secure is configured:

  • If the MKA session is not established, traffic is still allowed in clear text without the MACsec header.
  • If the MKA session is established successfully, traffic is allowed with MACsec headers.

Fail open mode is recommended for service providers that prioritize network availability. Before you enable fail open mode, consider the sensitivity of the traffic you are attempting to secure with MACsec.

Default

Fail open mode is not enabled by default. You must configure should-secure to enable this feature. When should-secure is not configured:

  • If the MKA session is not established, all traffic is discarded except Extensible Authentication Protocol over LAN (EAPoL) packets.

  • If the MKA session is established, traffic is transmitted with MACsec headers.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 17.4.