My quick notes, since I just went through MACsec research recently:
MX: Only supported on MIC-3D-20GE-SFP-E EX9200: Only supported on EX9200-40FE, and only on even numbered ports. Unclear if a license is needed or not. EX4200: Only supported on ports on optional EX-UM-2X4SFP-M module. Requires EX-QFX-MACSEC-ACC license. EX4300-24T/24P/48T/48P/32F: Supports MACsec on all ports (24 or 48x1G and 4x10G). Requires EX-QFX-MACSEC-ACC license EX4550-32F(but not 32T): Supports MACsec on all ports. Produces a fair amount of heat if you have all ports doing MACsec at once, possibly over the data sheet’s rated wattage limit - add 8W per macsec enabled port. Requires EX-QFX-MACSEC-AGG (not -ACC like above) license. EX4600: Supports MACsec on all built in ports, as well as on any EX4600-EM-8F modules. Only works on 10G ports though, will not work on 1G modules. Also does not support “switch-to-host” mode, “switch-to-switch” mode only. Requires EX-QFX-MACSEC-AGG. QFX5100-24Q: Support only on the 8 ports on an optional EX4600-EM-8F module, not the built in ports. 10G only. Does not support “switch-to-host” mode. Requires EX-QFX-MACSEC-AGG license. They also explicitly say they don’t support MACsec on copper SFP/SFP+ modules, but it seems to work here. > On Dec 14, 2015, at 5:23 PM, Jeff McAdams <je...@iglou.com> wrote: > > Last I checked (a month or so ago?) there is only a single MIC (20x1gbps > maybe) that can do MacSec on the MX. I think the plan is for future MPCs to > support it with any enet MICs connected, but it's not there, yet. > > I don't know for the full QFX line, but the EX4600s I have supposedly can do > line-rate (or at least very close) MacSec on all ports. I haven't had the > opportunity, yet, to actually try it. > > If FIPS 140-2 compliance is relevant for you, MacSec is currently excluded > from FIPS 140-2 validation. > > -- > Jeff _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
