[j-nsp] LAN encription
Damien DeVille
damien.deville at gmail.com
Mon Dec 14 19:12:16 EST 2015
A good place to look for feature support is
http://pathfinder.juniper.net/home/ where you can search by product type or
by feature (among other things).
A search for MACsec for switch to switch connections yeilds the following:
http://pathfinder.juniper.net/feature-explorer/feature-info.html?fKey=6117&fn=Media%20Access%20Control%20Security%20%28MACsec%29%20for%20switch%20to%20switch%20connections
I don't believe that MACsec is currently supported on any interfaces other
than 1G/10G sfp/sfp+ interfaces regardless of platform at this time.
--
Damien
On Mon, Dec 14, 2015 at 6:39 PM, Kevin Day <toasty at dragondata.com> wrote:
> My quick notes, since I just went through MACsec research recently:
>
>
> MX: Only supported on MIC-3D-20GE-SFP-E
>
> EX9200: Only supported on EX9200-40FE, and only on even numbered ports.
> Unclear if a license is needed or not.
>
> EX4200: Only supported on ports on optional EX-UM-2X4SFP-M module.
> Requires EX-QFX-MACSEC-ACC license.
>
> EX4300-24T/24P/48T/48P/32F: Supports MACsec on all ports (24 or 48x1G and
> 4x10G). Requires EX-QFX-MACSEC-ACC license
>
> EX4550-32F(but not 32T): Supports MACsec on all ports. Produces a fair
> amount of heat if you have all ports doing MACsec at once, possibly over
> the data sheet’s rated wattage limit - add 8W per macsec enabled port.
> Requires EX-QFX-MACSEC-AGG (not -ACC like above) license.
>
> EX4600: Supports MACsec on all built in ports, as well as on any
> EX4600-EM-8F modules. Only works on 10G ports though, will not work on 1G
> modules. Also does not support “switch-to-host” mode, “switch-to-switch”
> mode only. Requires EX-QFX-MACSEC-AGG.
>
> QFX5100-24Q: Support only on the 8 ports on an optional EX4600-EM-8F
> module, not the built in ports. 10G only. Does not support “switch-to-host”
> mode. Requires EX-QFX-MACSEC-AGG license.
>
>
> They also explicitly say they don’t support MACsec on copper SFP/SFP+
> modules, but it seems to work here.
>
>
>
> > On Dec 14, 2015, at 5:23 PM, Jeff McAdams <jeffm at iglou.com> wrote:
> >
> > Last I checked (a month or so ago?) there is only a single MIC (20x1gbps
> maybe) that can do MacSec on the MX. I think the plan is for future MPCs to
> support it with any enet MICs connected, but it's not there, yet.
> >
> > I don't know for the full QFX line, but the EX4600s I have supposedly
> can do line-rate (or at least very close) MacSec on all ports. I haven't
> had the opportunity, yet, to actually try it.
> >
> > If FIPS 140-2 compliance is relevant for you, MacSec is currently
> excluded from FIPS 140-2 validation.
> >
> > --
> > Jeff
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list