suspend-on-request
Syntax
suspend-on-request;
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name mka]
Description
Configure the suspend-on-request
statement to maintain
non-stop MACsec service during graceful routing engine switchover (GRES).
The MACsec Key Agreement (MKA) protocol maintains the MACsec session between two nodes on a point-to-point MACsec link. The MKA protocol works at the control plane level between the two nodes. With GRES for MACsec is enabled, when one node initiates an RE switchover, it sends an MKA hello packet with a suspension request to the peer node. The peer node suspends the MACsec session at the control plane.
At the data plane, traffic continues to traverse the point-to-point link during suspension. The secure association key (SAK) that was programmed prior to suspension remains in use until the switchover is complete. After the switchover, the key server generates a new SAK to secure the link. The key server will continue to periodically create and share a SAK over the link for as long as MACsec is enabled.
You must configure the suspend-on-request
statement on the key
server so that it can accept a request for suspension from the peer node. If
this statement is not configured, a suspension request sent to the key
server results in termination of the MACsec session, which can cause traffic
loss during the switchover.
Default
You must configure the suspend-on-request
statement to enable
a node on a MACsec link to accept requests for suspension of MACsec
sessions. Suspension requests are not accepted by default.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 21.2R1.