[j-nsp] Configuring of MACsec for three EX4300 Switches

Crist Clark cjc+j-nsp at pumpky.net
Fri Nov 6 01:24:48 EST 2020


MACsec (802.1AE) is NOT limited to point-to-point connections.

However, many vendors have partial implementations which do have such
limitations. Juniper devices' support varies greatly by hardware platform
and software versions.

On Thu, Nov 5, 2020 at 8:06 AM Richard McGovern via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Richard McGovern <rmcgovern at juniper.net>
> To: "switch999 at tutanota.com" <switch999 at tutanota.com>
> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Bcc:
> Date: Thu, 5 Nov 2020 16:05:20 +0000
> Subject: Re: Configuring of MACsec for three EX4300 Switches
> MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300
> and then connect same EX4300 to Point B - two different and independent
> MACSEC connections?
>
> If you want pass-through of one session you will need to create some sort
> of tunnel between EX port A to port B -(internal  maybe GRE 'might' work.
> This is not like say IPSec connections.
>
> Good luck.  Please reply if you find a solution.
>
> Rich
>
> Richard McGovern
> Sr Sales Engineer, Juniper Networks
> 978-618-3342
>
> I’d rather be lucky than good, as I know I am not good
> I don’t make the news, I just report it
>
>
> On 11/5/20, 6:09 AM, "switch999 at tutanota.com" <switch999 at tutanota.com>
> wrote:
>
>     Hi,
>
>     following only the required configuration of
>
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
>     for
>     # Configuring MACsec Using Static Connectivity Association Key (CAK)
> Mode
>
>     works fine for two switches, but with a third EX4300 in the middle not.
>
>     Thus, could anyone please help what is required to ensure connectivity
> through
>     three EX4300?
>
>     Even the configuration (A; with several tries) on the outer sides
> switches such as
>     e.g. given for (one port) per switch
>     jack at cs2# set security macsec connectivity-association ca1 mka
> eapol-address provider-bridge
>     jack at cs2# set security macsec connectivity-association ca1 mka
> eapol-address lldp-multicast
>     jack at cs2# set protocols layer2-control mac-rewrite interface
> ge-0/0/13 protocol ieee8021
>     worked not for the three EX4300.
>
>     Tunneling through a EX4200, in the middle (via vlan, snippet see
> below) worked fine, even without the
>     configuration (A) at the outer sides switches, only with the most
> important commands
>     given in
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
> .
>
>     Any idea why tunneling through the middle EX4300 failed? (Used
> version: 17.3R3-S9.3!)
>
>     Regards,
>     Jack
>
>
>     # PS: What is the equivalent code for EX4300 from the EX4200 code
>            vlan-id 55;
>            dot1q-tunneling {
>                layer2-protocol-tunneling {
>                    all;
>                }
>
>
>
> Juniper Business Use Only
>
>
>
> ---------- Forwarded message ----------
> From: Richard McGovern via juniper-nsp <juniper-nsp at puck.nether.net>
> To: "switch999 at tutanota.com" <switch999 at tutanota.com>
> Cc:
> Bcc:
> Date: Thu, 5 Nov 2020 16:05:20 +0000
> Subject: Re: [j-nsp] Configuring of MACsec for three EX4300 Switches
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list