Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Media Access Control Security (MACsec) over WAN

Media Access Control Security (MACsec) is a link layer solution for point-to-point encryption. MACsec can be used to encrypt Layer 2 connections over a service provider WAN to ensure data transmission integrity and confidentiality.

Use Feature Explorer to confirm platform and release support for specific features.

Review the Platform-Specific Behavior for MACsec over WAN section for notes related to your platform.

Overview of Carrying MACsec over Multiple Hops

To establish a MACsec session, MACsec Key Agreement (MKA) is used to exchange the required keys between the peer nodes. MKA PDUs are transmitted using Extensible Authentication Protocol over LAN (EAPoL) as a transport protocol. EAPoL is a Layer 2 protocol and would normally be locally processed by the switch or router and not propagated further.

In the case where nodes are connected through a service provider network, this presents a challenge. Figure 1 shows MACsec carried over a service provider network. MKA must exchange keys between customer devices A and B. The edge routers, or intermediate devices, should not process the EAPoL packets. Instead, they should transparently forward them to the next hop.

Figure 1: MACsec Carried over a Service Provider Network Network topology showing Customer Device A and B connected via a service provider core network. Edge routers are MACSec-unaware. Encrypted secure channel between devices bypasses non-MACSec routers.

The default destination MAC address for an EAPoL packet is a multicast address of 01:80:C2:00:00:03. In a service provider network, there might be devices that consume these packets, assuming the packets are meant for them. EAPoL is used by 802.1X and other authentication methods, which might cause the devices to drop the packets, depending on their configuration. This would cause the MKA session to fail between the intended endpoints. To ensure that the EAPoL packet reaches the intended endpoint, you can change attributes of the packet such as the destination MAC address, the VLAN ID, and the EtherType so that the service provider network tunnels the packet instead of consuming it.

Configure IFL-level MACsec on Logical Interfaces

MACsec at the level of a logical interface (IFL) allows multiple MKA sessions on a single physical port. This enables service multiplexing with MACsec encryption of point-to-multipoint connections over service provider WANs.

To support IFL-level MACsec, the MKA protocol packets are sent out with the VLAN tags configured on the logical interface. VLAN tags are transmitted in clear text, which allows intermediate switches that are MACsec-unaware to switch the packets based on the VLAN tags.

When you configure MACsec, you must bind the connectivity association to an interface. To enable IFL-level MACsec, bind the connectivity association to a logical interface using the following command:

For complete configuration details, see Configuring MACsec in Static CAK Mode.

Configure the EAPoL Destination MAC Address for MACsec

MACsec transmits MKA PDUs using EAPoL packets to establish a secure session. By default, EAPoL uses a destination multicast MAC address of 01:80:C2:00:00:03. To prevent these packets from being consumed in a service provider network, you can change the destination MAC address.

To configure the EAPoL destination MAC address, enter one of the following commands.

Note:

The configuration must match on both endpoints of a security association or secure connection in order to establish the MACsec session.
  • To configure the port access entity multicast address:
  • To configure a provider bridge multicast address:
  • To configure the LLDP multicast address:
  • To configure a unicast destination address:

The options are mapped to MAC addresses as follows:

Table 1: EAPoL and MAC Address Mapping

EAPoL Address

MAC Address

pae

01:80:C2:00:00:03

provider-bridge

01:80:C2:00:00:00

lldp-multicast

01:80:C2:00:00:0E

destination

configurable unicast address

Configure the EAPoL EtherType for MACsec

MACsec uses EAPoL as a transport protocol to establish sessions. When you configure a custom MAC destination address for EAPoL packets, in most cases the network tunnels the packet based on the destination address. However, some networks filter packets based on EtherType value instead. The EtherType is a field in an Ethernet frame. The value of the EtherType field identifies the protocol of the packet encapsulated in the frame. By default, the EtherType for EAPoL is 0x888e as defined by the IEEE 802.1X standard. Some networks intercept untagged packets with this EtherType automatically. To ensure the network tunnels MACsec packets properly to the endpoint, you can set a custom EtherType for EAPoL.

When MACsec is enabled on an interface, the device traps untagged EAPoL packets passing through that interface and forwards tagged EAPoL packets. By default, the device traps these packets only if they have the default EtherType 0x888e. When you configure a custom EtherType, the device traps packets that have that custom EtherType instead; it does not trap packets with EtherType 0x888e.

Choose the EAPoL EtherType Value

If you configure a custom EtherType value, it must be:

  • Different in each EAPoL profile. Do not configure the same EtherType for multiple profiles. If you need only one EtherType, use only one profile.

  • Valid (greater than or equal to 0x600).

  • Available (not reserved for another use).

Using a reserved EtherType can interfere with data traffic. Reserved EtherTypes fall into three categories:

  1. EtherTypes values reserved by the IEEE 802.1X standard, which are listed on the IEEE EtherTypes standards page.

  2. EtherType values used in traffic data.

  3. EtherType values reserved specifically on Junos devices. This category include values like 0x9100 and 0x9200, which are not listed on the standards page. To confirm the EtherType is not in this category, review the table below or commit the configuration. If the EtherType value is in the following table, the commit check detects the reserved value and the commit fails.

Note: The following table is not an exhaustive list of EtherTypes you should not use. The commit check cannot catch all reserved EtherTypes, so confirm that the EtherType is available before committing your configuration.
Table 2: Reserved EtherTypes Caught by Commit Check on Junos Devices
EtherType Reserved For EtherType Reserved For
0x22F3 TRILL 0x88B6 EXP2
0x0800 IPv4 0x88B7 EXP3
0x0806 ARP 0x88cc LLDP
0x8035 RARP 0x88E5 802.1AE
0x8100 VLAN 0x88E7 PBB
0x86dd IPv6 0x88EE ELMI
0x8809 SLOW 0x88F5 MVRP
0x8847 TAG 0x88F6 MMRP
0x8848 Multicast MPLS 0x88F7 PTP
0x8863 PPPoE DISC 0x8902 Ethernet OAM CFM
0x8864 PPPoE SESS 0x8906 FCOE
0x888e 802.1X 0x8914 FIP
0x88a8 PVLAN 0x9100 9100
0x88B5 EXP1 0x9200 9200

Configuration

The originating and endpoint devices can only establish a MACsec session if both devices are configured with the same EAPoL EtherType. Repeat the configuration on both devices.

To configure a custom EtherType value for EAPoL packets:

  1. Set up your custom EAPoL EtherType profile.
    Note:

    PTX Series routers come with two EtherType profiles already configured that you can choose from: EAPOL_ETHERTYPE1 or EAPOL_ETHERTYPE2. You must use one of these names for your EAPoL EtherType profile.
  2. (Optional) Configure a custom EAPoL EtherType value.

    See Choose the EAPoL EtherType Value for how to choose an EtherType value.

    Note: On PTX Series routers, each predefined profile is preconfigured with a default EtherType. The profile EAPOL_ETHERTYPE1 has a default EtherType value of 0x876f; the profile EAPOL_ETHERTYPE2 has a default EtherType value of 0xb860. You can configure a different EtherType if you prefer.
  3. Apply your custom EAPoL EtherType profile to the MACsec connectivity association configuration.
  4. Commit your configuration.
  5. (PTX10008 with a PTX10K-LC1301 line card or a PTX10002-36QDD) Reboot the device if you changed the EAPoL EtherType value from the pre-configured default.
  6. Verify the EtherType value you configured using the show security mka sessions detail command. For example:

    You have configured a custom EtherType value for EAPoL for MACsec.

  7. Repeat the configuration on the other device.

Platform-Specific Behavior for MACsec over WAN

Use the following table to review platform-specific behaviors for your platforms.

Table 3: Platform-Specific Behavior for the EAPoL EtherType for MACsec

Platform

Difference

ACX Series

  • When MACsec is enabled on a logical interface, the device traps packets that match the tagging of that interface (untagged or tagged). If you have not configured a custom EtherType, the device traps EAPoL packets matching that interface's tagging only if they have the default EtherType 0x888e. If you have configured a custom EtherType, the device only traps packets that have that custom EtherType and does not trap packets with EtherType 0x888e.

  • All interfaces belonging to a link aggregation group (LAG) must use the same EAPoL EtherType profile. Otherwise MACsec does not work on the interfaces.

PTX Series

  • You can only configure two EAPoL EtherType profiles: EAPOL_ETHERTYPE1 and EAPOL_ETHERTYPE2. By default, the EtherTypes associated with these profiles are 0x876f and 0xb860, respectively. You can configure an EtherType value other than the default if you prefer.

  • (PTX10008 with a PTX10K-LC1301 line card or a PTX10002-36QDD) Reboot is required after changing the EtherType value from the pre-configured default.

  • (PTX10004, PTX10008, and PTX10016 with PTX10K-LC1201 or PTX10K-LC1202 line cards; PTX10001-36MR) Tunnel termination is not supported for MACsec packets received with a custom EtherType on EVPN-MPLS and EVPN-VPWS services.

  • (PTX10001-36MR, PTX10002-36QDD, PTX10004, PTX10008, and PTX10016) If a physical interface has Ethernet CCC encapsulation configured, and MACsec is configured on that interface, the device traps all EAPoL packets for that interface regardless of whether they are tagged or untagged. To avoid this, you can configure a custom EtherType on that interface that is different than the one used for other MACsec traffic. After this configuration, the device traps packets with the custom EtherType and lets the other untagged packets go through.