Mailing List Archive

Configuring of MACsec for three EX4300 Switches
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Configuring of MACsec for three EX4300 Switches [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Configuring of MACsec for three EX4300 Switches [ In reply to ]
MACsec (802.1AE) is NOT limited to point-to-point connections.

However, many vendors have partial implementations which do have such
limitations. Juniper devices' support varies greatly by hardware platform
and software versions.

On Thu, Nov 5, 2020 at 8:06 AM Richard McGovern via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Richard McGovern <rmcgovern@juniper.net>
> To: "switch999@tutanota.com" <switch999@tutanota.com>
> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
> Bcc:
> Date: Thu, 5 Nov 2020 16:05:20 +0000
> Subject: Re: Configuring of MACsec for three EX4300 Switches
> MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300
> and then connect same EX4300 to Point B - two different and independent
> MACSEC connections?
>
> If you want pass-through of one session you will need to create some sort
> of tunnel between EX port A to port B -(internal maybe GRE 'might' work.
> This is not like say IPSec connections.
>
> Good luck. Please reply if you find a solution.
>
> Rich
>
> Richard McGovern
> Sr Sales Engineer, Juniper Networks
> 978-618-3342
>
> I’d rather be lucky than good, as I know I am not good
> I don’t make the news, I just report it
>
>
> ?On 11/5/20, 6:09 AM, "switch999@tutanota.com" <switch999@tutanota.com>
> wrote:
>
> Hi,
>
> following only the required configuration of
>
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
> for
> # Configuring MACsec Using Static Connectivity Association Key (CAK)
> Mode
>
> works fine for two switches, but with a third EX4300 in the middle not.
>
> Thus, could anyone please help what is required to ensure connectivity
> through
> three EX4300?
>
> Even the configuration (A; with several tries) on the outer sides
> switches such as
> e.g. given for (one port) per switch
> jack@cs2# set security macsec connectivity-association ca1 mka
> eapol-address provider-bridge
> jack@cs2# set security macsec connectivity-association ca1 mka
> eapol-address lldp-multicast
> jack@cs2# set protocols layer2-control mac-rewrite interface
> ge-0/0/13 protocol ieee8021
> worked not for the three EX4300.
>
> Tunneling through a EX4200, in the middle (via vlan, snippet see
> below) worked fine, even without the
> configuration (A) at the outer sides switches, only with the most
> important commands
> given in
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
> .
>
> Any idea why tunneling through the middle EX4300 failed? (Used
> version: 17.3R3-S9.3!)
>
> Regards,
> Jack
>
>
> # PS: What is the equivalent code for EX4300 from the EX4200 code
> vlan-id 55;
> dot1q-tunneling {
> layer2-protocol-tunneling {
> all;
> }
>
>
>
> Juniper Business Use Only
>
>
>
> ---------- Forwarded message ----------
> From: Richard McGovern via juniper-nsp <juniper-nsp@puck.nether.net>
> To: "switch999@tutanota.com" <switch999@tutanota.com>
> Cc:
> Bcc:
> Date: Thu, 5 Nov 2020 16:05:20 +0000
> Subject: Re: [j-nsp] Configuring of MACsec for three EX4300 Switches
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Configuring of MACsec for three EX4300 Switches [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Configuring of MACsec for three EX4300 Switches [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp