[j-nsp] MACsec over a service provider

Chuck Anderson cra at WPI.EDU
Fri Nov 17 18:43:23 EST 2017


In the end I discovered that CCC, l2circuit, etc. work fine for
transporting regular MACsec, no need for "WAN MACsec" or special
commands to forward dot1x frames.

I also got this to work with 2 links at the same time between the same
2 switches.  The problem I was having was related to using 1g SFP's in
EX-UM-4X4SFP in the EX4300-48P.  You have to turn off auto-neg and
force the speed to 1g.  You also have to restart the PIC or reboot
after changing an optic from 10gig to 1gig or vice versa.

On Fri, Nov 17, 2017 at 11:25:23PM +0000, Alex K. wrote:
> * As long as you have pure p2p links, you should be fine - Juniper gear
> meant.
> 
> בתאריך 18 בנוב' 2017 1:20 AM,‏ "Alex K." <nsp.lists at gmail.com> כתב:
> 
> > Yes,
> >
> > But unfortunately (as far as j-nsp is considered), using Ciscos' gear.
> >
> > Cisco has a special flavor of MACSec, intended to address that issue
> > exactly - they call it WAN MACSes. We was able to use across many different
> > SP circuits. As long as you have pure p2p links (real or stimulated), you
> > should be fine. Unfortunately, I'm not aware of any similar Juniper
> > technique.
> >
> > Best regards,
> > Alex.
> >
> > בתאריך 27 באוק' 2017 5:23 PM,‏ "Chuck Anderson" <cra at wpi.edu> כתב:
> >
> > Has anyone been able to run MACsec over a service provider's Ethernet
> > Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> > module.


More information about the juniper-nsp mailing list