Re: [j-nsp] Configuring of MACsec for three EX4300 Switches

Thu, 05 Nov 2020 08:07:41 -0800

--- Begin Message --- 
MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300 and 
then connect same EX4300 to Point B - two different and independent MACSEC 
connections?

If you want pass-through of one session you will need to create some sort of 
tunnel between EX port A to port B -(internal  maybe GRE 'might' work.  This is 
not like say IPSec connections.

Good luck.  Please reply if you find a solution.

Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342

I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it


On 11/5/20, 6:09 AM, "[email protected]" <[email protected]> wrote:

    Hi,

    following only the required configuration of
    
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
    for
    # Configuring MACsec Using Static Connectivity Association Key (CAK) Mode

    works fine for two switches, but with a third EX4300 in the middle not.

    Thus, could anyone please help what is required to ensure connectivity 
through
    three EX4300?

    Even the configuration (A; with several tries) on the outer sides switches 
such as
    e.g. given for (one port) per switch
    jack@cs2# set security macsec connectivity-association ca1 mka 
eapol-address provider-bridge
    jack@cs2# set security macsec connectivity-association ca1 mka 
eapol-address lldp-multicast
    jack@cs2# set protocols layer2-control mac-rewrite interface ge-0/0/13 
protocol ieee8021
    worked not for the three EX4300.

    Tunneling through a EX4200, in the middle (via vlan, snippet see below) 
worked fine, even without the
    configuration (A) at the outer sides switches, only with the most important 
commands
    given in 
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html.

    Any idea why tunneling through the middle EX4300 failed? (Used version: 
17.3R3-S9.3!)

    Regards,
    Jack


    # PS: What is the equivalent code for EX4300 from the EX4200 code
           vlan-id 55;
           dot1q-tunneling {
               layer2-protocol-tunneling {
                   all;
               }



Juniper Business Use Only

--- End Message ---
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to