- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Digital Certificates
- play_arrow Configuring Digital Certificates
- Public Key Cryptography
- Configuring Digital Certificates
- Configuring Digital Certificates for an ES PIC
- IKE Policy for Digital Certificates on an ES PIC
- Configuring Digital Certificates for Adaptive Services Interfaces
- Configuring Auto-Reenrollment of a Router Certificate
- IPsec Tunnel Traffic Configuration
- Tracing Operations for Security Services
- play_arrow Configuring SSH and SSL Router Access
-
- play_arrow Trusted Platform Module
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configuring MACsec
Configuration Overview
Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for almost all types of traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly-connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.
You can configure MACsec to secure point-to-point Ethernet links connecting switches, or on Ethernet links connecting a switch to a host device such as a PC, phone, or server. Each point-to-point Ethernet link that you want to secure using MACsec must be configured independently. You can enable MACsec on switch-to-switch links using dynamic or static connectivity association key (CAK) security mode. Both processes are provided in this document.
For information on configuring MACsec on control and fabric ports of supported SRX Series Firewalls in chassis cluster setup, see Media Access Control Security (MACsec) on Chassis Cluster.
On SRX Series Firewalls, you can configure MACsec in routed mode; MACsec is not supported in transparent mode.
Before You Begin
Before enabling MACsec, you must ensure the difference between your interface media maximum transmission unit (MTU) and protocol MTU is large enough to accommodate the additional 32 bytes of MACsec overhead.
For how to configure the interface MTU and protocol MTU, see No link title.
Configuring MACsec in Static CAK Mode
You can enable MACsec using static connectivity association key (CAK) security mode on a point-to-point Ethernet link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router link.
We recommend enabling MACsec using static CAK security mode on links connecting switches or routers. Static CAK security mode ensures security by frequently refreshing to a new random secure association key (SAK) and by only sharing the SAK between the two devices on the MACsec-secured point-to-point link.
When you enable MACsec using static CAK security mode, a preshared key is exchanged between the devices on each end of the point-to-point Ethernet link. The preshared key includes a connectivity association name (CKN) and a connectivity association key (CAK). The CKN and CAK must be manually configured in the connectivity association and must match on both ends of the link to initially enable MACsec.
After the preshared keys are exchanged and verified, the MACsec Key Agreement (MKA) protocol enables MACsec on the link. The MKA is responsible for selecting one of the two devices on the point-to-point link as the key server. The key server then creates a randomized security key that it shares only with the peer device over the MACsec-secured link. The randomized security key enables and maintains MACsec on the point-to-point link. The key server will continue to periodically create and share a randomly-created security key over the point-to-point link for the duration of the MACsec session.
If the MACsec session terminates due to a link failure, the MKA key server elects a key server when the link is restored and generates a new SAK.
You enable MACsec using static CAK security mode by configuring a connectivity association on both ends of the link. All configuration is done within the connectivity association but outside of the secure channel. Two secure channels—one for inbound traffic and one for outbound traffic—are automatically created when using static CAK security mode. The automatically-created secure channels do not have any user-configurable parameters. All configuration is done in the connectivity association.
To configure MACsec using static CAK security mode:
MACsec using static CAK security mode is enabled when a connectivity association on the opposite end of the link is also configured. The connectivity association must contain preshared keys that match on both ends of the link.
See Also
Configuring MACsec in Dynamic CAK Mode
In dynamic CAK mode, the peer nodes on the MACsec link generate the security keys dynamically as part of the 802.1X authentication process. You can use dynamic CAK mode to secure a point-to-point link connecting switches or routers. This can be a switch-to-switch, switch-to-router, or router-to-router connection. The devices must act as both authenticator and supplicant for 802.1X authentication so they can authenticate each other.
Dynamic CAK mode provides easier administration than static CAK mode, because the keys do not need to be configured manually. Also, the keys can be centrally-managed from the RADIUS server. However, static CAK mode provides more functionality.
Dynamic CAK mode is not supported on logical interfaces.
The following procedure is for configuring dynamic CAK mode on links between switches or routers. To configure dynamic CAK mode on switch-to-host links, see Configuring MACsec to Secure a Switch-to-Host Link.
Before you begin to enable MACsec in dynamic CAK mode, you must configure a RADIUS server. The RADIUS server:
Must be configured with a server-side certificate.
Must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.
For information on configuring the RADIUS server, see RADIUS Server Configuration for Authentication.
Configure the Connectivity Association
Configure Certificates
You must assign a local certificate and a certificate authority (CA) certificate to each supplicant interface. The supplicant and RADIUS server authenticate each other by exchanging certificate credentials. The local certificate and the server certificate must be signed by the same CA. You can generate the certificates locally using public key infrastructure (PKI), or load certificates that were generated remotely.
Generating Certificates Locally
To generate a CA certificate:
- Configure the CA profile: content_copy zoom_out_map
[edit] user@host# set security pki ca-profile ca_profile ca-identity ca_id
- Disable revocation check: content_copy zoom_out_map
[edit] user@host# set security pki ca-profile ca_profile revocation-check disable
- Enroll the certificate with the CA: content_copy zoom_out_map
[edit] user@host> request security pki ca-certificate enroll ca-profile ca-profile-name
To generate a local certificate:
- Generate a public-private key pair: content_copy zoom_out_map
[edit] user@host> request security pki generate-key-pair certificate-id cert-id
- Generate and enroll the local certificate using the Simple Certificate
Enrollment Protocol (SCEP):content_copy zoom_out_map
[edit] user@host> request security pki local-certificate enroll ca-profile ca-profile-name certificate-id cert-id challenge-password password domain-name domain-name subject subject-distinguished-name
Loading Remotely-Generated Certificates
To load remotely-generated certificates:
- Load the CA profile: content_copy zoom_out_map
[edit] user@host# run request security pki ca-certificate load filename ca_cert ca-profile ca_prof
- Load the local certificate: content_copy zoom_out_map
[edit] user@host# run request security pki local-certificate load certificate-id cert-id filename path key client-key passphrase string
Configure 802.1X Authentication
Configure 802.1X authentication with EAP-TLS on the interfaces at each end of the point-to-point link. The interfaces must act as both authenticators and supplicants so that the devices can authenticate each other.
Configuring MACsec to Secure a Switch-to-Host Link
When configuring MACsec on a switch-to-host link, the MACsec Key Agreement (MKA) keys, which are included as part of 802.1X authentication, are retrieved from a RADIUS server as part of the AAA handshake. A primary key is passed from the RADIUS server to the switch and from the RADIUS server to the host in independent authentication transactions. The primary key is then passed between the switch and the host to create a MACsec-secured connection.
The following requirements must be met in order to enable MACsec on a link connecting a host device to a switch.
The host device:
must support MACsec and must be running software that allows it to enable a MACsec-secured connection with the switch.
The switch:
Must support MACsec.
Must be configured into dynamic connectivity association key (CAK) security mode.
Must be using 802.1X authentication to communicate with the RADIUS server.
Before you begin to enable MACsec on a switch-to-host link:
Configure a RADIUS server. The RADIUS server:
Must be configured as the user database for 802.1X authentication.
Must be using the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication framework.
Must have connectivity to the switch and to the host. The RADIUS server can be multiple hops from the switch or the host.
See Example: Connecting a RADIUS Server for 802.1X to an EX Series Switch.
Enable MACsec on the host device.
The procedures for enabling MACsec on the host device varies by host device, and is beyond the scope of this document.
To configure MACsec using dynamic CAK security mode to secure a switch-to-host Ethernet link:
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
(flow-control | no-flow-control)
statement at the
[edit interfaces interface- name
gigether-options]
hierarchy level. When MACsec is enabled,
additional header bytes are added to the packet by the MACsec PHY. With line
rate traffic, when MACsec is enabled and flow control is disabled, the pause
frames sent by the MACsec PHY are terminated by the MIC’s MAC (enhanced 20-port
Gigabit Ethernet MICs on MX Series routers) and not transferred to the Packet
Forwarding Engine, causing framing errors. Therefore, when MACsec is enabled on
an interface, flow control is also automatically enabled on such an interface.