[j-nsp] LAN encription

[Kevin Day]

My quick notes, since I just went through MACsec research recently:


MX: Only supported on MIC-3D-20GE-SFP-E

EX9200: Only supported on EX9200-40FE, and only on even numbered ports. Unclear if a license is needed or not.

EX4200: Only supported on ports on optional EX-UM-2X4SFP-M module. Requires EX-QFX-MACSEC-ACC license.

EX4300-24T/24P/48T/48P/32F: Supports MACsec on all ports (24 or 48x1G and 4x10G). Requires EX-QFX-MACSEC-ACC license

EX4550-32F(but not 32T): Supports MACsec on all ports. Produces a fair amount of heat if you have all ports doing MACsec at once, possibly over the data sheet’s rated wattage limit - add 8W per macsec enabled port.  Requires EX-QFX-MACSEC-AGG (not -ACC like above) license.

EX4600: Supports MACsec on all built in ports, as well as on any EX4600-EM-8F modules. Only works on 10G ports though, will not work on 1G modules. Also does not support “switch-to-host” mode, “switch-to-switch” mode only.  Requires EX-QFX-MACSEC-AGG.

QFX5100-24Q: Support only on the 8 ports on an optional EX4600-EM-8F module, not the built in ports. 10G only. Does not support “switch-to-host” mode. Requires EX-QFX-MACSEC-AGG license.


They also explicitly say they don’t support MACsec on copper SFP/SFP+ modules, but it seems to work here.



> On Dec 14, 2015, at 5:23 PM, Jeff McAdams <jeffm at iglou.com> wrote:
> 
> Last I checked (a month or so ago?) there is only a single MIC (20x1gbps maybe) that can do MacSec on the MX. I think the plan is for future MPCs to support it with any enet MICs connected, but it's not there, yet.
> 
> I don't know for the full QFX line, but the EX4600s I have supposedly can do line-rate (or at least very close) MacSec on all ports.   I haven't had the opportunity, yet, to actually try it.
> 
> If FIPS 140-2 compliance is relevant for you, MacSec is currently excluded from FIPS 140-2 validation.
> 
> -- 
> Jeff