Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Traffic fails between Cisco switch and Juniper Router after MACSEC configuration



Article ID: KB35065 KB Last Updated: 18 Sep 2019Version: 1.0

MACSEC comes UP as expected immediately after it is configured. However, traffic fails between the Cisco switch and Juniper Router.

  • When initiating a ping from Cisco switch to Juniper router, it is clear that ARP is being learnt on Juniper, while Cisco fails to do the same.

  • It is also clear that ARP responses are being sent out from Juniper router, but the Cisco switch fails to see them.

  • Verified with firewall filters on the physical interfaces to ensure that the MACSEC has 'must-secure' configured on both sides, along with the same Cipher suite, which shows the MACSEC status is UP as expected.


In this situation, the 'include-sci' is 'yes' by default on the Cisco switch, while it is optional for Juniper. 


Add  'include-sci' on the Juniper Router MACSEC configuration as follows:

#set security macsec connectivity-association connectivity-association-name include-sci

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search