Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten by the PE router (MX480). I'm not sure about the ASR9k at the other end of the production scenario--it may have the same trouble.
My lab is like this, with the EX2200 substituting for the ASR9k. The idea is to have MACsec between the EX4300s, with the middle being transparent to it. I got this working: EX4300---EX2200---EX4300 For the EX2200, I had to configure layer2-protocol-tunneling to allow the EAPOL 802.1x through: vlans { MACSEC-TRANSPORT { vlan-id 10; ## ## Warning: requires 'dot1q-tunneling' license ## dot1q-tunneling { layer2-protocol-tunneling { all; } } } } MACsec comes up fine on both EX4300s and I can ping between them. But this fails: EX4300---EX2200---MX480---EX4300 I'm doing simple bridging through the MX, but the MX doesn't support the mac-rewrite needed (ieee8021x). Anyone have any clever ideas to work around that limitation? On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote: > Hello > > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw, > no any other special requirements. > Btw keep in the mind macsec overhead, +32. > > regards, Eli > > On Fri, 27 Oct 2017 10:23:01 -0400 > Chuck Anderson <c...@wpi.edu> wrote: > > > Has anyone been able to run MACsec over a service provider's Ethernet > > Private Line (or even just a 802.1q vlan)? I'm looking at using 10gig > > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink > > module. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp