Configuring of MACsec for three EX4300 Switches

Richard McGovern rmcgovern at juniper.net
Thu Nov 5 11:05:20 EST 2020 

MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300 and then connect same EX4300 to Point B - two different and independent MACSEC connections?

If you want pass-through of one session you will need to create some sort of tunnel between EX port A to port B -(internal  maybe GRE 'might' work.  This is not like say IPSec connections.

Good luck.  Please reply if you find a solution.

Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342

I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it


On 11/5/20, 6:09 AM, "switch999 at tutanota.com" <switch999 at tutanota.com> wrote:

    Hi,

    following only the required configuration of
    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
    for
    # Configuring MACsec Using Static Connectivity Association Key (CAK) Mode

    works fine for two switches, but with a third EX4300 in the middle not.

    Thus, could anyone please help what is required to ensure connectivity through
    three EX4300?

    Even the configuration (A; with several tries) on the outer sides switches such as
    e.g. given for (one port) per switch
    jack at cs2# set security macsec connectivity-association ca1 mka eapol-address provider-bridge
    jack at cs2# set security macsec connectivity-association ca1 mka eapol-address lldp-multicast
    jack at cs2# set protocols layer2-control mac-rewrite interface ge-0/0/13 protocol ieee8021
    worked not for the three EX4300.

    Tunneling through a EX4200, in the middle (via vlan, snippet see below) worked fine, even without the
    configuration (A) at the outer sides switches, only with the most important commands
    given in https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html.

    Any idea why tunneling through the middle EX4300 failed? (Used version: 17.3R3-S9.3!)

    Regards,
    Jack


    # PS: What is the equivalent code for EX4300 from the EX4200 code
           vlan-id 55;
           dot1q-tunneling {
               layer2-protocol-tunneling {
                   all;
               }



Juniper Business Use Only

More information about the juniper-nsp mailing list