3 files changed, 61 insertions, 5 deletions

diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 60877d73..0c0c052b 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -44,6 +44,30 @@ MACsec options
   A physical interface is required to connect this MACsec instance to. Traffic
   leaving this interface will now be authenticated/encrypted.
 
+Static Keys
+-----------
+Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each
+device wishing to use MACsec. Keys must be set statically on all devices for traffic
+to flow properly. Key rotation is dependent on the administrator updating all keys
+manually across connected devices. Static SAK mode can not be used with MKA.
+
+.. cfgcmd:: set interfaces macsec <interface> security static key <key>
+
+  Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes 
+  (GCM-AES-128) or 32-bytes (GCM-AES-256).
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address>
+
+  Set the peer's MAC address
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key>
+
+  Set the peer's key used to receive (RX) traffic
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable
+
+  Disable the peer configuration
+
 Key Management
 --------------
 
@@ -188,3 +212,28 @@ the unencrypted but authenticated content.
           0x0070:  3031 3233 3435 3637 87d5 eed3 3a39 d52b  01234567....:9.+
           0x0080:  a282 c842 5254 ef28                      ...BRT.(
 
+**R1 Static Key**
+
+.. code-block:: none
+
+  set interfaces macsec macsec1 address '192.0.2.1/24'
+  set interfaces macsec macsec1 address '2001:db8::1/64'
+  set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+  set interfaces macsec macsec1 security encrypt
+  set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+  set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
+  set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+  set interfaces macsec macsec1 source-interface 'eth1'
+
+**R2 Static Key**
+
+.. code-block:: none
+
+  set interfaces macsec macsec1 address '192.0.2.2/24'
+  set interfaces macsec macsec1 address '2001:db8::2/64'
+  set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+  set interfaces macsec macsec1 security encrypt
+  set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+  set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
+  set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+  set interfaces macsec macsec1 source-interface 'eth1'
\ No newline at end of file
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 5eb10fe8..d2916d9f 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -183,6 +183,10 @@ traffic.
   The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the
   public key, which needs to be shared with the peer.
 
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+   :var0: wireguard
+   :var1: wg01
+
 **remote side - commands**
 
 .. code-block:: none
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index f45101b5..e853a1ec 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -122,6 +122,10 @@ Wireless options
   * ``station`` - Connects to another access point
   * ``monitor`` - Passively monitor all packets on the frequency/channel
 
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+   :var0: wireless
+   :var1: wlan0
+
 PPDU
 ----
 
@@ -304,6 +308,7 @@ default physical device (``phy0``) is used.
 
   set interfaces wireless wlan0 type station
   set interfaces wireless wlan0 address dhcp
+  set interfaces wireless wlan0 country-code de
   set interfaces wireless wlan0 ssid Test
   set interfaces wireless wlan0 security wpa passphrase '12345678'
 
@@ -315,6 +320,7 @@ Resulting in
     [...]
     wireless wlan0 {
       address dhcp
+      country-code de
       security {
         wpa {
           passphrase "12345678"
@@ -350,6 +356,7 @@ The WAP in this example has the following characteristics:
 .. code-block:: none
 
   set interfaces wireless wlan0 address '192.168.2.1/24'
+  set interfaces wireless wlan0 country-code de
   set interfaces wireless wlan0 type access-point
   set interfaces wireless wlan0 channel 1
   set interfaces wireless wlan0 mode n
@@ -367,6 +374,7 @@ Resulting in
     [...]
     wireless wlan0 {
           address 192.168.2.1/24
+          country-code de
           channel 1
           mode n
           security {
@@ -385,11 +393,6 @@ Resulting in
           type access-point
       }
   }
-  system {
-    [...]
-    wifi-regulatory-domain DE
-  }
-
 
 VLAN
 ====