[j-nsp] MACsec over a service provider

Tue Oct 31 16:49:08 EDT 2017

My testing has revealed that it works, as long as the service provider (MX) is doing something like e-line/l2circuit/CCC rather than bridging.  I even got it to work with ethernet-ccc on the MX port facing the EX4300 and vlan-ccc on the MX port facing the core/WAN.

However I've now run into an issue where I can only get a single MACsec connection working on the EX4300's.  As soon as I add a 2nd one, it fails to come up.  If I then reboot, neither one comes up.  If I deactivate the 2nd one, the 1st one comes up.

On Tue, Oct 31, 2017 at 07:30:35PM +0000, Nick Cutting wrote:
> I am also interested in this - my carriers keep saying "try it"
> 
> I have the config now - still have not tested - but I'm moving many of my customer P2P links (hosted by carriers) to nexus switches that don't support macsec.
> 
> Is anyone in the enterprise doing this over e-line services? 
> 
> -----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Chuck Anderson
> Sent: Friday, October 27, 2017 9:39 PM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] MACsec over a service provider
> 
> This Message originated outside your organization.
> 
> Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten by the PE router (MX480).  I'm not sure about the ASR9k at the other end of the production scenario--it may have the same trouble.
> 
> My lab is like this, with the EX2200 substituting for the ASR9k.  The idea is to have MACsec between the EX4300s, with the middle being transparent to it.
> 
> I got this working:
> 
> EX4300---EX2200---EX4300
> 
> For the EX2200, I had to configure layer2-protocol-tunneling to allow the EAPOL 802.1x through:
> 
> vlans {
>     MACSEC-TRANSPORT {
>         vlan-id 10;
>         ##
>         ## Warning: requires 'dot1q-tunneling' license
>         ##
>         dot1q-tunneling {
>             layer2-protocol-tunneling {
>                 all;
>             }
>         }
>     }
> }
> 
> MACsec comes up fine on both EX4300s and I can ping between them.
> 
> 
> But this fails:
> 
> EX4300---EX2200---MX480---EX4300
> 
> I'm doing simple bridging through the MX, but the MX doesn't support the mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to work around that limitation?
> 
> On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> > Hello
> > 
> > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw, 
> > no any other special requirements.
> > Btw keep in the mind macsec overhead, +32.
> > 
> > regards, Eli
> > 
> > On Fri, 27 Oct 2017 10:23:01 -0400
> > Chuck Anderson <cra at WPI.EDU> wrote:
> > 
> > > Has anyone been able to run MACsec over a service provider's 
> > > Ethernet Private Line (or even just a 802.1q vlan)?  I'm looking at 
> > > using 10gig ports on the EX4300 or the EX4600/QFX5100-24Q with the 
> > > MACsec uplink module.