MACsec
MACsec is an IEEE standard (IEEE 802.1AE) for MAC security, introduced in 2006. It enables protocol-independent connectivity between two hosts, providing data confidentiality, authenticity, and integrity using GCM-AES ciphers. MACsec operates at the Ethernet layer as a Layer 2 protocol and secures traffic within Layer 2 networks, including DHCP and ARP requests. It does not compete with other security solutions, such as IPsec (Layer 3) or TLS (Layer 4), as each addresses distinct use cases.
Configuration
Common interface configuration
Configure the interface with one or more IP addresses.
The following options are available:
address: Assign one or more IPv4 or IPv6 addresses to the interface. For example, use 192.0.2.1/24 for IPv4 or 2001:db8::1/64 for IPv6.
dhcp: The interface obtains an IPv4 address from a DHCP server on the same network segment.
dhcpv6: The interface obtains an IPv6 address from a DHCPv6 server on the same network segment.
Note
If the interface obtains an IPv4 address via DHCP, and specific adjustments are needed before/after the IP address is obtained, use the provided hook scripts:
/config/scripts/dhcp-client/pre-hooks.d//config/scripts/dhcp-client/post-hooks.d/
Example:
set interfaces macsec macsec0 address 192.0.2.1/24
set interfaces macsec macsec0 address 2001:db8::1/64
set interfaces macsec macsec0 address dhcp
set interfaces macsec macsec0 address dhcpv6
Configure a clear, descriptive alias for the interface.
This alias appears in the show interfaces command and SNMP-based
monitoring tools.
Example:
set interfaces macsec macsec0 description 'This is an interface running on VyOS.'
Disable the interface.
The interface will be set to the administratively down
(A/D) state.
Example:
set interfaces macsec macsec0 disable
Disable Ethernet flow control (IEEE 802.3x pause frames) on the interface.
Ethernet flow control, defined by the IEEE 802.3x standard, temporarily stops data transmission to prevent packet loss during network congestion. For example, when a sender transmits data faster than the receiver can process it.
Disabling Ethernet flow control means the interface will not signal the connected device to pause transmission and will drop packets if overwhelmed.
Example:
set interfaces macsec macsec0 disable-flow-control
Disable physical link-state change detection on the interface, such as when a cable is unplugged.
By default, the interface detects physical link-state changes.
Example:
set interfaces macsec macsec0 disable-link-detect
Configure a custom MAC address on the interface.
Example:
set interfaces macsec macsec0 mac '00:53:01:02:03:04'
Configure the MTU on the interface.
This value defines the largest packet size, in bytes, that the interface transmits without fragmentation.
Example:
set interfaces macsec macsec0 mtu 1600
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues that occur when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Sets the MSS to a specific value, in bytes. Use this option if you need to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router automatically calculates the MSS to be the interface’s MTU minus 40 bytes for IPv4 traffic (20 bytes for the IPv4 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure how long an ARP entry remains valid after learning an IP-to-MAC address mapping on this interface.
The default duration is 30 seconds.
An ARP entry remains valid if it receives positive feedback from higher-level protocols.
Example:
set interfaces macsec macsec0 ip arp-cache-timeout 180
Configure ARP filtering on this interface.
Default behavior: The kernel responds to ARP requests on this interface only if the traffic would be routed back to the ARP sender through that specific interface.
If configured: The kernel responds to ARP requests on this interface for any IP address configured on the local host, regardless of which specific interface that IP address is assigned to, and regardless of the routing table. This reflects the Linux concept that IP addresses belong to the host, not individual interfaces.
Example:
set interfaces macsec macsec0 ip disable-arp-filter
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv4 forwarding is disabled on it.
Example:
set interfaces macsec macsec0 ip disable-forwarding
Configure whether to forward IP-directed broadcast packets received on this interface.
Default behavior: IP-directed broadcast packets are dropped.
If configured: IP-directed broadcast packets are forwarded to all hosts on the destination subnet, as defined in RFC 1812 and RFC 2644.
Example:
set interfaces macsec macsec0 ip enable-directed-broadcast
Configure how to process gratuitous ARPs on this interface.
If configured, an IP-to-MAC address mapping is added to the ARP table based on gratuitous ARP requests or replies.
Note
If the ARP table already contains the IP address from a gratuitous ARP, its entry is updated regardless of whether this setting is configured.
Example:
set interfaces macsec macsec0 ip enable-arp-accept
Configure the source IP selection for ARP requests on this interface.
Default behavior: The kernel can use any IP address the host owns as the source IP address in ARP requests on this interface.
If configured: The kernel first attempts to select a source IP address configured on the interface that shares a common subnet with the target IP address. If there is no such subnet, the kernel selects the IP address it would normally use (based on the routing table to reach the target destination).
Example:
set interfaces macsec macsec0 ip enable-arp-announce
Configure which ARP requests will be ignored on this interface.
Default behavior: The kernel responds to ARP requests for any local IP addresses, regardless of which interface they are assigned to.
If configured: The kernel responds to ARP requests only if the target IP address is assigned to this specific interface.
Example:
set interfaces macsec macsec0 ip enable-arp-ignore
Configure proxy ARP on this interface.
If configured, the router (kernel) intercepts ARP requests for non-local IP addresses and replies with the MAC address of the interface that received the request. Subsequent packets destined to these IP addresses are forwarded to their actual destinations on remote subnets.
Example:
set interfaces macsec macsec0 ip enable-proxy-arp
Configure local proxy ARP on the interface.
If configured, the router (kernel) responds to ARP requests on this VLAN interface even if the target IP address resides on the same subnet and interface.
This is used to support network isolation requirements (RFC 3069) for private VLANs (PVLANs). In PVLAN configurations, hosts on isolated ports are NOT allowed to communicate directly with each other at Layer 2, but they can communicate with the upstream router.
By replying to inter-host ARP requests with its own MAC address, the router (kernel) directs inter-host traffic through itself instead of directly between hosts.
Note
This command works independently and does not require enabling the standard proxy ARP on the interface.
Local proxy ARP is also known as:
VLAN aggregation (RFC 3069).
Private VLAN (Cisco, Allied Telesyn).
Source-port filtering or port isolation (Hewlett-Packard).
MAC-Forced Forwarding (Ericsson).
Configure source IP address validation using RPF on this interface, as specified in RFC 3704.
The following options are available:
strict: Each incoming packet’s source IP address is checked against the Forwarding Information Base (FIB). If the interface is not the best route back to that source, validation fails, and the packet is dropped.
loose: Each incoming packet’s source IP address is checked against the FIB. If the source IP address is unreachable through any interface, validation fails.
disable: No source IP address validation is performed. All incoming packets are accepted.
RFC 3704 recommends enabling strict mode to prevent IP spoofing, such as DDoS attacks. For asymmetric or other complex routing scenarios, use loose mode.
Configure the interface to automatically obtain an IPv6 address using SLAAC, as specified in RFC 4862.
IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. The router responds with a router advertisement packet containing Internet Layer configuration parameters.
Note
This method automatically disables IPv6 traffic forwarding on the interface.
Example:
set interfaces macsec macsec0 ipv6 address autoconf
Configure the interface to assign itself an IPv6 address using the EUI-64 method, as specified in RFC 4291.
Example:
set interfaces macsec macsec0 ipv6 address eui64 2001:db8:beef::/64
Disable the automatic assignment of a link-local IPv6 address to this interface.
Example:
set interfaces macsec macsec0 ipv6 address no-default-link-local
Configure the interface for host or router behavior.
If configured, the interface switches to host mode, and IPv6 forwarding is disabled on it.
Example:
set interfaces macsec macsec0 ipv6 disable-forwarding
Configure the MSS advertised in outgoing TCP SYN packets on the specified interface.
By clamping the MSS value in TCP SYN packets, you explicitly inform the remote side not to send packets larger than that size. This prevents connection issues when Path MTU Discovery (PMTUD) fails.
The following options are available:
mss: Set the MSS to a specific value, in bytes. Use this option to enforce a specific MSS, for example, to troubleshoot connectivity issues or accommodate specific network requirements.
clamp-mss-to-pmtu: The router calculates the MSS to be the interface’s MTU minus 60 bytes for IPv6 traffic (40 bytes for the IPv6 header and 20 bytes for the TCP header). This option is recommended to automatically set the proper value.
Configure IPv6 DAD on the interface.
The following options are available:
0: Disables DAD. No duplicate address detection is performed.
1: Enables DAD (default). Duplicate addresses are detected. The interface’s IPv6 operation continues for valid IPv6 addresses.
2: Enables DAD and, if a MAC-based duplicate link-local address is found, disables IPv6 operation on this interface.
Example:
set interfaces macsec macsec0 ipv6 accept-dad 2
Configure the number of DAD messages that the router (kernel) sends during IPv6 address assignment on this interface.
The default value is 1.
Example:
set interfaces macsec macsec0 ipv6 dup-addr-detect-transmits 5
Assign the interface to a specific VRF instance.
See also
For information on configuring a VRF, refer to the VRF section.
Example:
set interfaces macsec macsec0 vrf red
DHCP(v6)
Configure a DHCP client identifier for the interface, as specified in RFC 2131.
The client-id is an identifier that the DHCP client sends to the DHCP
server to uniquely identify itself for IP address assignment. By default,
the client uses its MAC address. The <description> is a user-defined
string that will be sent to the DHCP server as the DHCP client identifier.
Example:
set interfaces macsec macsec0 dhcp-options client-id 'foo-bar'
Configure a specific hostname for the interface.
Instead of the real hostname, the DHCP client will send the specific hostname to the DHCP server when requesting an IP address.
Example:
set interfaces macsec macsec0 dhcp-options host-name 'VyOS'
Configure the DHCP client to include a vendor-class identifier in its DHCP requests on this interface.
The vendor-class identifier is a vendor-specific byte string that enables the DHCP server to identify the device and, in some cases, provide configuration options.
Example:
set interfaces macsec macsec0 dhcp-options vendor-class-id 'VyOS'
Configure the DHCP client to obtain an IP address, but ignore any default gateway provided by the DHCP server on this interface.
Example:
set interfaces macsec macsec0 dhcp-options no-default-route
Configure the distance for the default route obtained from the DHCP server on this interface.
Example:
set interfaces macsec macsec0 dhcp-options default-route-distance 220
Configure the DHCP client to reject the specific IP address or IP address range from the DHCP server on this interface.
This is useful when a modem assigns a local IP address upon start. To reject multiple addresses, run this command multiple times with different values. You can reject individual addresses (192.168.100.1) or entire subnets (192.168.100.0/24).
Example:
set interfaces macsec macsec0 dhcp-options reject 192.168.100.0/24
Configure the DHCP client to send a specific user-class identifier in its DHCP requests on this interface.
The DHCP server can interpret this identifier and provide specific configuration options based on it (for example, default routes). The user-class value typically groups DHCP clients with similar configuration needs (for example, employees, guests, or printers).
Example:
set interfaces macsec macsec0 dhcp-options user-class VyOS
Configure a specific DUID for the DHCPv6 client on this interface.
The DUID is an identifier used by a DHCPv6 client to get an IPv6 address from a DHCPv6 server. It consists of a 2-byte type field, followed by a variable-length identifier field up to 128 bytes. The format of the identifier part depends on the DUID type:
DUID-LLT: The most common type, which includes a hardware type, a timestamp, and a MAC address.
DUID-EN: Is based on a vendor’s enterprise number and a unique identifier assigned by the vendor.
DUID-LL: Includes only a MAC address.
The DHCP server matches the DUID against its database and provides configuration data (such as address, lease times, DNS servers, etc.) to the DHCP client.
Example:
set interfaces macsec macsec0 duid '0e:00:00:01:00:01:27:71:db:f0:00:50:56:bf:c5:6d'
Configure the DHCP client not to send a release message when it stops running on this interface.
This helps retain the assigned address or prefix.
Example:
set interfaces macsec macsec0 dhcpv6-options no-release
Enable a stateless DHCPv6 client mode on this interface.
In stateless mode, the DHCPv6 client requests only stateless configuration parameters from the DHCP server (for example, DNS server addresses). It doesn’t request a stateful configuration, such as IPv6 addresses or prefixes.
Example:
set interfaces macsec macsec0 dhcpv6-options parameters-only
Enable DHCPv6 rapid commit on this interface.
When enabled, the DHCP client and server skip the negotiation steps (Advertise and Request), completing the DHCPv6 configuration process in just two messages (Solicit and final Reply).
Example:
set interfaces macsec macsec0 dhcpv6-options rapid-commit
Configure the DHCPv6 client to request a temporary IPv6 address on this interface.
When configured, the DHCP client doesn’t form an Identity Association for Non-temporary Addresses (IA_NA) partnership. Consequently, it only obtains a temporary IPv6 address and doesn’t obtain a permanent one.
Example:
set interfaces macsec macsec0 dhcpv6-options temporary
DHCPv6 Prefix Delegation (PD)
VyOS supports DHCPv6 Prefix Delegation (DHCPv6-PD) as described in RFC 3633. DHCPv6-PD is supported by most ISPs that provide native IPv6 for consumers on fixed networks.
Configure a specific prefix length for DHCPv6-PD requests on this interface.
Some ISPs provide only a /64 prefix by default. Use this command to request a different prefix length for a specific DHCPv6-PD request, ranging from /32 (if allowed by your ISP) down to /64. <id> is a unique identifier for the DHCPv6-PD request.
The default value is 64.
To request a /56 prefix from your ISP, use:
set interfaces macsec macsec0 dhcpv6-options pd 0 length 56
Configure the IPv6 interface identifier (host portion) for the delegatee interface.
The value must be a decimal integer. It is appended to the delegated prefix and the configured SLA ID to form the final IPv6 address.
By default, the host portion is generated based on the parent interface’s MAC address (EUI-64 format).
Example:
If a /64 prefix is delegated to interface eth8 and you configure the host portion as 65535, the resulting IPv6 address will end with ::ffff, as 65535 corresponds to ffff in hexadecimal notation.
set interfaces macsec macsec0 dhcpv6-options pd 0 interface eth8 address 65534
Configure the SLA ID for the delegatee interface.
The value must be a decimal integer greater than 0 and fit in the length of SLA IDs. It is converted to hexadecimal and appended to the delegated prefix to form the specific subnet prefix for the delegatee interface.
Example:
If SLA ID is 1 and the delegated prefix is 2001:db8:ffff::/48, the
resulting subnet prefix for the delegatee interface will be
2001:db8:ffff:1::/64.
set interfaces macsec macsec0 dhcpv6-options pd 0 interface eth8 sla-id 1
MACsec options
Configure the cipher suite for the MACsec interface.
This configuration parameter is mandatory.
Enable encryption on the MACsec interface.
By default, MACsec interfaces only provide authentication; encryption is optional.
When enabled, outgoing packets are encrypted using the configured cipher suite.
Configure a physical source interface for the MACsec interface.
Traffic transmitted through this interface is authenticated and, if configured, encrypted.
MACsec key management
Static SAK mode
In static SAK mode, administrators must manually configure and update SAKs on each MACsec peer. MKA cannot be used in this mode.
Configure the Transmit (TX) SAK for the MACsec interface.
The key must be a 16-byte (GCM-AES-128) or 64-byte (GCM-AES-256) hexadecimal string.
Configure the MAC address associated with the MACsec peer.
Configure the RX SAK for traffic from the MACsec peer.
The key must be a 16-byte (GCM-AES-128) or 64-byte (GCM-AES-256) hexadecimal string.
Disable the specific MACsec peer.
Dynamic MKA mode
In this mode, the MKA protocol is used to generate, distribute, and update CAKs, and to authenticate MACsec peers.
Configure the CAK for the MACsec interface.
The CAK and its CKN form the pre-shared master key pair used to authenticate MACsec peers.
Configure the CKN for the MACsec interface.
Replay protection
The replay protection window defines how many out-of-order frames can be received before they are dropped as a potential replay attack.
The following values are valid:
0: Any out-of-order frame is immediately dropped.1-4294967295: Allows the specified number of out-of-order frames.
Operation
Generate a 128-bit (GCM-AES-128) or 256-bit (GCM-AES-256) MKA CAK.
vyos@vyos:~$ generate macsec mka cak gcm-aes-128
20693b6e08bfa482703a563898c9e3ad
Generate an MKA CAK.
vyos@vyos:~$ generate macsec mka ckn
88737efef314ee319b2cbf30210a5f164957d884672c143aefdc0f5f6bc49eb2
Show all MACsec interfaces.
vyos@vyos:~$ show interfaces macsec
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
20: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
Show information for a specific MACsec interface.
vyos@vyos:~$ show interfaces macsec macsec1
17: macsec1: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 005056bfefaa0001 on SA 0
Examples
Site-to-site MACsec with dynamic MKA over an untrusted network
In the following example, two routers (R1 and R2) are connected via an
untrusted switch, using their eth1 interfaces as the underlay. The MACsec
interface (macsec1) with dynamic MKA encrypts traffic between them.
Topology details:
R1 IP addresses:
192.0.2.1/24and2001:db8::1/64.R2 IP addresses:
192.0.2.2/24and2001:db8::2/64.
R1
set interfaces macsec macsec1 address '192.0.2.1/24'
set interfaces macsec macsec1 address '2001:db8::1/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'
set interfaces macsec macsec1 source-interface 'eth1'
R2
set interfaces macsec macsec1 address '192.0.2.2/24'
set interfaces macsec macsec1 address '2001:db8::2/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security mka cak '232e44b7fda6f8e2d88a07bf78a7aff4'
set interfaces macsec macsec1 security mka ckn '40916f4b23e3d548ad27eedd2d10c6f98c2d21684699647d63d41b500dfe8836'
set interfaces macsec macsec1 source-interface 'eth1'
Pinging (IPv6) the other host and intercepting traffic on eth1 confirm that
the content is encrypted.
17:35:44.586668 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150:
0x0000: 2c00 0000 000a 0050 56bf efaa 0001 d9fb ,......PV.......
0x0010: 920a 8b8d 68ed 9609 29dd e767 25a4 4466 ....h...)..g%.Df
0x0020: 5293 487b 9990 8517 3b15 22c7 ea5c ac83 R.H{....;."..\..
0x0030: 4c6e 13cf 0743 f917 2c4e 694e 87d1 0f09 Ln...C..,NiN....
0x0040: 0f77 5d53 ed75 cfe1 54df 0e5a c766 93cb .w]S.u..T..Z.f..
0x0050: c4f2 6e23 f200 6dfe 3216 c858 dcaa a73b ..n#..m.2..X...;
0x0060: 4dd1 9358 d9e4 ed0e 072f 1acc 31c4 f669 M..X...../..1..i
0x0070: e93a 9f38 8a62 17c6 2857 6ac5 ec11 8b0e .:.8.b..(Wj.....
0x0080: 6b30 92a5 7ccc 720b k0..|.r.
Disabling encryption on the MACsec interface by removing the security
encrypt option shows the unencrypted but authenticated content.
17:37:00.746155 00:50:56:bf:ef:aa > 00:50:56:b3:ad:d6, ethertype Unknown (0x88e5), length 150:
0x0000: 2000 0000 0009 0050 56bf efaa 0001 86dd .......PV.......
0x0010: 6009 86f3 0040 3a40 2001 0db8 0000 0000 `....@:@........
0x0020: 0000 0000 0000 0001 2001 0db8 0000 0000 ................
0x0030: 0000 0000 0000 0002 8100 d977 0f30 0003 ...........w.0..
0x0040: 1ca0 c65e 0000 0000 8d93 0b00 0000 0000 ...^............
0x0050: 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f ................
0x0060: 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f .!"#$%&'()*+,-./
0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+
0x0080: a282 c842 5254 ef28 ...BRT.(
Site-to-site MACsec with static SAK over an untrusted network
This example uses the same topology as above, but applies static SAK mode to the MACsec interface configuration.
R1
set interfaces macsec macsec1 address '192.0.2.1/24'
set interfaces macsec macsec1 address '2001:db8::1/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 source-interface 'eth1'
R2
set interfaces macsec macsec1 address '192.0.2.2/24'
set interfaces macsec macsec1 address '2001:db8::2/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer R1 mac 00:11:22:33:44:01
set interfaces macsec macsec1 security static peer R1 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
set interfaces macsec macsec1 source-interface 'eth1'
MACsec over WAN
MACsec offers an alternative to traditional tunneling solutions by securing Layer 2 with integrity, origin authentication, and optional encryption.
While typically deployed between hosts and access switches, MACsec can also secure traffic over a WAN. In the following example, we combine VXLAN (for transport) and MACsec (for security) to create a secure tunnel between two sites.
R1 MACsec01
set interfaces macsec macsec1 address '192.0.2.1/24'
set interfaces macsec macsec1 address '2001:db8::1/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
set interfaces macsec macsec1 security static peer SEC02 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer SEC02 mac '00:11:22:33:44:02'
set interfaces macsec macsec1 source-interface 'vxlan1'
set interfaces vxlan vxlan1 mac '00:11:22:33:44:01'
set interfaces vxlan vxlan1 remote '10.1.3.3'
set interfaces vxlan vxlan1 source-address '172.16.100.1'
set interfaces vxlan vxlan1 vni '10'
set protocols static route 10.1.3.3/32 next-hop 172.16.100.2
R2 MACsec02
set interfaces macsec macsec1 address '192.0.2.2/24'
set interfaces macsec macsec1 address '2001:db8::2/64'
set interfaces macsec macsec1 security cipher 'gcm-aes-128'
set interfaces macsec macsec1 security encrypt
set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
set interfaces macsec macsec1 security static peer SEC01 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
set interfaces macsec macsec1 security static peer SEC01 mac '00:11:22:33:44:01'
set interfaces macsec macsec1 source-interface 'vxlan1'
set interfaces vxlan vxlan1 mac '00:11:22:33:44:02'
set interfaces vxlan vxlan1 remote '10.1.2.2'
set interfaces vxlan vxlan1 source-address '172.16.100.2'
set interfaces vxlan vxlan1 vni '10'
set protocols static route 10.1.2.2/32 next-hop 172.16.100.1