Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Network Director Network Director User Guide Working in Build Mode Configuring Media Access Control Security (MACsec)

Network Director User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Network Director User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Configuring and Managing MACsec Profiles

Release: Network Director 7.1
{}
Change Release
date_range 23-May-23
arrow_backward
arrow_forward

From the MACsc Profile page of the Network Director UI you can create and manage MACsec profiles that specify MACsec settings for the extended ports in the aggregation device in a Junos Fusion Enterprise device. From the Manage MACsec Profile page, you can:

  • Create a new MACsec profile by clicking Add.

  • Modify an existing MACsec profile by selecting the profile and clicking Edit.

  • Associate a profile to the extended ports by selecting the profile and clicking Assign.

  • Change current assignments for a profile by selecting the profile and clicking Edit Assignment.

  • Delete a MACsec profile by selecting the profile and clicking Delete.

  • Clone an existing MACsec profile by selecting the profile and clicking Clone.

  • View information about a profile by selecting the profile and clicking Details.

Table 1 describes the information provided about wired MACsec profiles on the Manage MACsec Profiles page. This page lists all the MACsec profiles defined for the Junos Fusion Enterprise device, regardless of the scope you selected in the network view.

Table 1: Managing MACsec Profile Fields

Field

Description

Profile Name

Name of the profile.

Connection Association Name

Name of the MACsec connectivity association.

Description

Description of the profile.

MACsec Mode

Static secure association key (static-SAK) security mode or static connectivity association key (static-CAK) using which you enabled MACsec on the device.

Assignment State

Profile assignment state. One of the following:

  • Deployed—The profile has been assigned and the configuration has been deployed on the devices.

  • Pending Deployment—The profile has been assigned or its previous assignments have been changed, but the new or modified configuration has not yet been deployed on the devices.

  • Unassigned—The profile has not yet been assigned.

User Name

The username of the user who created or modified the profile.

This topic describes:

Creating a MACsec Profile

To create a MACsec profile:

  1. Under Views, select one of these options: Logical View, Location View, Device View, or Custom Group View.
    Tip:

    Do not select Dashboard View or Topology View.

  2. Click in the Network Director banner.
  3. In the Tasks pane, expand Wired, expand Profiles, and then select MACsec.

    The Manage MACsec Profile page appears, displaying the list of currently configured MACsec profiles.

  4. Click Add to add a new profile.

    The Create MACsec Profile page appears.

  5. Enter the MACsec settings described in Specifying Settings for a MACSsec Profile.
  6. Click Done.

Specifying Settings for a MACSsec Profile

Table 2 describes the MACsec Profile settings. Required settings are indicated by a red asterisk (*) that appears next to the field label in the user interface.

Table 2: MACsec Profile Settings

Field

Action

Profile Name

Type the name of the profile.

Description

Type a description of the profile.

Family type

The device family on which the profile was created: Campus Switching ELS or Data Center Switching ELS.

Connection Association Name

Type the name for the MACsec connectivity association.

MACsec Mode

Select the mode using which you can enable MACsec on the device. The available modes are static secure association key (static-SAK) security mode or static connectivity association key (static-CAK) security mode.

CAK Settings

If you want to enable MACsec by using the CAK mode, configure the CAK settings specified in Table 3.

SAK Settings

If you want to enable MACsec by using the SAK mode, configure the SAK settings specified in Table 4 for the inbound and outbound secure channels.

Table 3: CAK Settings

Field

Description

Connectivity Association Key Name

Type a name for the connectivity association key that you want to use for enabling MACsec.

Connectivity Association Key

Specify the key to exchange with the other end of the link on the secure channel. You must use a hexadecimal string of 32 digits.

Confirm Connectivity Association Key

Specify the connectivity association key again. If there is a mismatch (between the connectivity association keys), an error message is shown.

Enable Include Secure Channel Identifier

Enable Include Secure Channel Identifier tagging on a device that is enabling MACsec on an Ethernet link connecting to an Junos Fusion Enterprise device.

Key Server Priority

Specify the MACsec Key Agreement (MKA) server election priority number. You can specify a value between 0 and 255. The lower the number, the higher the priority.

Transmit Interval (milli sec)

Specify the transmit interval for MACsec Key Agreement (MKA) protocol data units (PDUs). The MKA transmit interval setting sets the frequency for how often the MKA PDU is sent to the directly connected device to maintain MACsec on a point-to-point Ethernet link. A lower interval increases bandwidth overhead on the link; a higher interval optimizes the MKA protocol data unit exchange process.

The default transmit interval is 2000 milliseconds

Disable Encryption

Select this option if you want to disable the MACsec encryption for a connectivity association that has MACsec already enabled on it.

Offset

Specify the offset 0, 30, or 50 for all the packets traversing the link. The default offset is 0. All traffic in the connectivity association is encrypted when encryption is enabled and an offset is not set.

When the offset is set to 30, the IPv4 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

When the offset is set to 50, the IPv6 header and the TCP/UDP header are unencrypted while encrypting the rest of the traffic.

You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

Replay Window Size

Specify the size of the replay protection window.

Note:

When this variable is set to 0, all packets that arrive out-of-order are dropped.

Exclude Protocols

Specify the name of the protocol that should not be MACsec-secured. Options include:

  • cdp—Cisco Discovery Protocol.

  • lacp—Link Aggregation Control Protocol.

  • lldp—Link Level Discovery Protocol.

Cipher Suite

Specify the cipher suite for creating the MACsec profile.

Table 4: SAK Settings

Field

Description

Secure Channel name

Type a name for the secure channel.

MAC address

Specify a MAC address on which you want to enable MACsec using static secure association key (SAK) security mode. The mac-address variables must match on the sending and receiving ends of a link to enable MACsec using static SAK security mode.

Port

Specify the port ID number in a secure channel when enabling MACsec using static secure association key (SAK) security mode. The port IDs must match on a sending and receiving secure channel on each side of a link to enable MACsec.

After the port numbers match, MACsec is enabled for all traffic on the connection.

Enable Encryption

Select this option if you want to Enable MACsec encryption within an outbound secure channel.

Note:

You can enable MACsec without enabling encryption. If a connectivity association with an outbound secure channel that has not enabled MACsec encryption is associated with an interface, traffic is forwarded across the Ethernet link in clear text. You are, therefore, able to view this unencrypted traffic when you are monitoring the link.

Offset

Specify the number of octets in an Ethernet frame that you want to send in unencrypted plain-text when encryption is enabled for MACsec.

Setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the remaining traffic. Setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the remaining traffic.

Secure Association

Specify the secure association keys corresponding to the secure association number. The key string is a 32-digit hexadecimal number.

Re-enter the secure association key for every secure association number. If there is a mismatch between the connectivity association key and their respective confirmation keys, an error message is shown.

What to Do Next

After you create the MACsec profile, you must assign the profile to the Junos Fusion Enterprise satellite device by using the Manage MacSec Profile page and then deploy the Device profile by using the Deploy mode.

To assign a MACsec Settings profile to a device, see Assigning the MACsec Profiles. For information about deploying the configurations, see Deploying Configuration to Devices.

Note:

You can assign the MACsec profile to the extended ports on Junos Fusion Enterprise Aggregation Device.

In the CAK mode, if you change the connection association key name of a deployed MACsec profile, you must re-configure the connectivity association key and the confirmation key for that profile. Similarly, in the SAK mode, if you change the inbound or outbound channel names of the deployed MACSec profiles, you must re-configure the key and the confirmation key for that profile.

Related Documentation

arrow_backward PREVIOUS Media Access Control Security Overview
NEXT arrow_forward Assigning the MACsec Profiles
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top