이 페이지에서는 MACsec for Cloud Interconnect fail-open 동작을 수정하는 방법을 설명합니다.
fail-open 동작으로 MACsec for Cloud Interconnect를 사용 설정할 수 있습니다. fail-open은 Google 에지 라우터가 라우터와의 MACsec 키 일치(MKA) 세션을 설정할 수 없는 경우 암호화되지 않은 트래픽으로 Cloud Interconnect 연결이 계속 작동하는 것을 의미합니다. 라우터에서 MKA 세션을 설정할 수 없는 경우 기본 설정이 모든 트래픽을 삭제합니다.
Google Cloud CLI를 사용해야만 MACsec 장애 조치 동작을 변경할 수 있습니다.
fail-open 동작 사용 설정
fail-open 동작으로 MACsec for Cloud Interconnect를 사용 설정하기 전에 Cloud Interconnect 연결에 트래픽이 없는지 확인합니다.
MACsec for Cloud Interconnect에 fail-open 동작이 사용 설정된 경우 나중에 fail-open 동작을 사용 중지할 수 있습니다. fail-open 동작이 사용 중지된 후 Google 에지 라우터가 라우터와의 MACSec 키 일치(MKA) 세션을 설정할 수 없는 경우 연결이 모든 트래픽을 삭제합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-05(UTC)"],[],[],null,["# Modify fail-open behavior\n\nThis page describes how to modify MACsec for Cloud Interconnect\nfail-open behavior.\n\nYou can choose to enable MACsec for Cloud Interconnect with fail-open\nbehavior. Fail-open means that if Google's edge routers can't establish a MACsec\nkey agreement (MKA) session with your router, then the Cloud Interconnect\nconnection remains operational with unencrypted traffic. The default setting\ndrops all traffic if an MKA session can't be established with your router.\n\nYou can change MACsec fail-over behavior only by using the Google Cloud CLI.\n| **Warning:** To avoid unintentionally passing unencrypted traffic, we recommend that you use the default setting for production traffic, and use fail-open behavior only for testing and troubleshooting.\n\nEnable fail-open behavior\n-------------------------\n\nVerify that there is no traffic on your Cloud Interconnect connection before\nenabling MACsec for Cloud Interconnect with fail-open behavior.\n**Important:** When you enable fail-open behavior on your Cloud Interconnect connection, you must temporarily disable MACsec on your Cloud Interconnect connection. The connection temporarily experiences packet loss as a result. To avoid disruption to your network, verify that there is no traffic on your Cloud Interconnect VLAN attachments before disabling MACsec for Cloud Interconnect. For more information, see [Disable or enable VLAN attachments](/network-connectivity/docs/interconnect/how-to/dedicated/disabling-vlans). \n\n### gcloud\n\nRun the following commands: \n\n gcloud compute interconnects macsec update \u003cvar translate=\"no\"\u003eINTERCONNECT_CONNECTION_NAME\u003c/var\u003e \\\n --no-enabled \\\n --fail-open\n gcloud compute interconnects macsec update \u003cvar translate=\"no\"\u003eINTERCONNECT_CONNECTION_NAME\u003c/var\u003e \\\n --enabled\n\nDisable fail-open behavior\n--------------------------\n\nIf you have fail-open behavior enabled for MACsec for Cloud Interconnect,\nyou can choose to later disable fail-open behavior. After fail-open behavior is\ndisabled, if Google's edge routers can't establish a MACsec key agreement (MKA)\nsession with your router, then the connection drops all traffic.\n**Important:** When you disable fail-open behavior on your Cloud Interconnect connection, you must temporarily disable MACsec on your Cloud Interconnect connection. The connection temporarily experiences packet loss as a result. To avoid disruption to your network, verify that there is no traffic on your Cloud Interconnect VLAN attachments before disabling MACsec for Cloud Interconnect. For more information, see [Disable or enable VLAN attachments](/network-connectivity/docs/interconnect/how-to/dedicated/disabling-vlans). \n\n### gcloud\n\nRun the following commands: \n\n gcloud compute interconnects macsec update \u003cvar translate=\"no\"\u003eINTERCONNECT_CONNECTION_NAME\u003c/var\u003e \\\n --no-enabled \\\n --no-fail-open\n gcloud compute interconnects macsec update \u003cvar translate=\"no\"\u003eINTERCONNECT_CONNECTION_NAME\u003c/var\u003e \\\n --enabled\n\nWhat's next?\n------------\n\n- [Troubleshoot MACsec](/network-connectivity/docs/interconnect/how-to/macsec/troubleshoot-macsec)"]]
