[j-nsp] Configuring of MACsec for three EX4300 Switches

Richard McGovern rmcgovern at juniper.net
Fri Nov 6 09:30:37 EST 2020 

Thanks for the clarification. I don’t pretend to know the spec in detail, just how most of Juniper functions. I know for EX products running MACsec, some sort of tunnel needs to be present in an intermediate switch to work. This is often why MACsec over provider network most often will not work. Generally dark fiber is required.

Been looking for a solution for intermediate switch(es).

Thanks

Sent from my iPhone

On Nov 6, 2020, at 1:25 AM, Crist Clark <cjc+j-nsp at pumpky.net> wrote:



[External Email. Be cautious of content]


MACsec (802.1AE) is NOT limited to point-to-point connections.

However, many vendors have partial implementations which do have such limitations. Juniper devices' support varies greatly by hardware platform and software versions.

On Thu, Nov 5, 2020 at 8:06 AM Richard McGovern via juniper-nsp <juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>> wrote:



---------- Forwarded message ----------
From: Richard McGovern <rmcgovern at juniper.net<mailto:rmcgovern at juniper.net>>
To: "switch999 at tutanota.com<mailto:switch999 at tutanota.com>" <switch999 at tutanota.com<mailto:switch999 at tutanota.com>>
Cc: "juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>" <juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
Bcc:
Date: Thu, 5 Nov 2020 16:05:20 +0000
Subject: Re: Configuring of MACsec for three EX4300 Switches
MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300 and then connect same EX4300 to Point B - two different and independent MACSEC connections?

If you want pass-through of one session you will need to create some sort of tunnel between EX port A to port B -(internal  maybe GRE 'might' work.  This is not like say IPSec connections.

Good luck.  Please reply if you find a solution.

Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342

I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it


On 11/5/20, 6:09 AM, "switch999 at tutanota.com<mailto:switch999 at tutanota.com>" <switch999 at tutanota.com<mailto:switch999 at tutanota.com>> wrote:

    Hi,

    following only the required configuration of
    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
    for
    # Configuring MACsec Using Static Connectivity Association Key (CAK) Mode

    works fine for two switches, but with a third EX4300 in the middle not.

    Thus, could anyone please help what is required to ensure connectivity through
    three EX4300?

    Even the configuration (A; with several tries) on the outer sides switches such as
    e.g. given for (one port) per switch
    jack at cs2# set security macsec connectivity-association ca1 mka eapol-address provider-bridge
    jack at cs2# set security macsec connectivity-association ca1 mka eapol-address lldp-multicast
    jack at cs2# set protocols layer2-control mac-rewrite interface ge-0/0/13 protocol ieee8021
    worked not for the three EX4300.

    Tunneling through a EX4200, in the middle (via vlan, snippet see below) worked fine, even without the
    configuration (A) at the outer sides switches, only with the most important commands
    given in https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html.

    Any idea why tunneling through the middle EX4300 failed? (Used version: 17.3R3-S9.3!)

    Regards,
    Jack


    # PS: What is the equivalent code for EX4300 from the EX4200 code
           vlan-id 55;
           dot1q-tunneling {
               layer2-protocol-tunneling {
                   all;
               }



Juniper Business Use Only



---------- Forwarded message ----------
From: Richard McGovern via juniper-nsp <juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>>
To: "switch999 at tutanota.com<mailto:switch999 at tutanota.com>" <switch999 at tutanota.com<mailto:switch999 at tutanota.com>>
Cc:
Bcc:
Date: Thu, 5 Nov 2020 16:05:20 +0000
Subject: Re: [j-nsp] Configuring of MACsec for three EX4300 Switches
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp<https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!TBPbxaxjBGsKYU4uKjxPqQpgIOJAXz1rVO5sr5Wa-2g_kI62bxJMe9LEDPQlpMG_Uw$>

More information about the juniper-nsp mailing list