[j-nsp] MACsec over a service provider
Alex K.
nsp.lists at gmail.com
Sat Nov 18 02:05:51 EST 2017
Sure.
But it depends on the exact circuit you have (on the exact equipment and
settings your carrier uses). Since MACSec is true point-to-point protocol,
carriers' equipment may interpret its' packets (say EAPOL), as destined for
itself - instead of forwarding it thru the pseudo wire.
As far as I remember the deployment, most of the circuits were fine with
regular (i.e. LAN) MACSec. But some required the WAN flavor. Hence wouldn't
have worked with J-gear. Anyhow, I glad you were able to sort it out.
Best regards,
Alex.
בתאריך 18 בנוב' 2017 1:43 AM, "Chuck Anderson" <cra at wpi.edu> כתב:
In the end I discovered that CCC, l2circuit, etc. work fine for
transporting regular MACsec, no need for "WAN MACsec" or special
commands to forward dot1x frames.
I also got this to work with 2 links at the same time between the same
2 switches. The problem I was having was related to using 1g SFP's in
EX-UM-4X4SFP in the EX4300-48P. You have to turn off auto-neg and
force the speed to 1g. You also have to restart the PIC or reboot
after changing an optic from 10gig to 1gig or vice versa.
On Fri, Nov 17, 2017 at 11:25:23PM +0000, Alex K. wrote:
> * As long as you have pure p2p links, you should be fine - Juniper gear
> meant.
>
> בתאריך 18 בנוב' 2017 1:20 AM, "Alex K." <nsp.lists at gmail.com> כתב:
>
> > Yes,
> >
> > But unfortunately (as far as j-nsp is considered), using Ciscos' gear.
> >
> > Cisco has a special flavor of MACSec, intended to address that issue
> > exactly - they call it WAN MACSes. We was able to use across many
different
> > SP circuits. As long as you have pure p2p links (real or stimulated),
you
> > should be fine. Unfortunately, I'm not aware of any similar Juniper
> > technique.
> >
> > Best regards,
> > Alex.
> >
> > בתאריך 27 באוק' 2017 5:23 PM, "Chuck Anderson" <cra at wpi.edu> כתב:
> >
> > Has anyone been able to run MACsec over a service provider's Ethernet
> > Private Line (or even just a 802.1q vlan)? I'm looking at using 10gig
> > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> > module.
More information about the juniper-nsp
mailing list