MACSec is kind of neat (TL;DR for the impatient: layer-1 crypto on links).
Media Access Control Security (MACsec) is an industry-standard security technology that provides secure communication for all traffic on Ethernet links. MACsec provides point-to-point security on Ethernet links between directly connected nodes and is capable of identifying and preventing most security threats, including denial of service, intrusion, man-in-the-middle, masquerading, passive wiretapping, and playback attacks. MACsec is standardized in IEEE 802.1AE.
MACsec allows you to secure an Ethernet link for almost all traffic, including frames from the Link Layer Discovery Protocol (LLDP), Link Aggregation Control Protocol (LACP), Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), and other protocols that are not typically secured on an Ethernet link because of limitations with other security solutions. MACsec can be used in combination with other security protocols such as IP Security (IPsec) and Secure Sockets Layer (SSL) to provide end-to-end network security.
CLI config:
#create an association:
set security macsec connectivity-association ca1
#choose a mode (static cak recommended — see here for why)
set security macsec connectivity-association ca1 security-mode static-cak
#ckn needs to be a 64-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key ckn deadbeef99
#cak needs to be a 32-digit number in hex, but any empty space is padded w/ 0’s
set security macsec connectivity-association ca1 pre-shared-key cak deadbeef11
# set to 255 to make it “less likely” to be chosen as key server, 0 for “more likely”
set security macsec connectivity-association ca1 mka key-server-priority 0
# set to 6000 for high-traffic environment. default to 2000.
set security macsec connectivity-association ca1 mka transmit-interval 6000
#this leaves headers unencrypted for troubleshooting, set to 0 for full encryption, set to 50 for unencrypted ipv6 headers
set security macsec connectivity-association ca1 offset 30
# replay protection, set to 0 to enforce all packets coming in order
set security macsec connectivity-association ca1 replay-protect replay-window-size 5
# exclude a protocol
set exclude-protocol lldp
#enable macsec
set security macsec interfaces xe-0/1/0 connectivity-association ca1
Troubleshooting:
show security macsec statistics interface xe-0/1/0 detail
additional reading:
http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/macsec.html
http://www.juniper.net/techpubs/en_US/junos13.2/topics/reference/command-summary/show-security-macsec-statistics.html
(Cisco version: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-0_1_se/configuration/guide/3750xcg/swmacsec.pdf)
There’s a Cisco version of this here: http://david.piniella.net/2015/11/cisco-macsec-notes/