MACsec (802.1AE) is NOT limited to point-to-point connections. However, many vendors have partial implementations which do have such limitations. Juniper devices' support varies greatly by hardware platform and software versions.
On Thu, Nov 5, 2020 at 8:06 AM Richard McGovern via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > > > > ---------- Forwarded message ---------- > From: Richard McGovern <rmcgov...@juniper.net> > To: "switch...@tutanota.com" <switch...@tutanota.com> > Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> > Bcc: > Date: Thu, 5 Nov 2020 16:05:20 +0000 > Subject: Re: Configuring of MACsec for three EX4300 Switches > MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300 > and then connect same EX4300 to Point B - two different and independent > MACSEC connections? > > If you want pass-through of one session you will need to create some sort > of tunnel between EX port A to port B -(internal maybe GRE 'might' work. > This is not like say IPSec connections. > > Good luck. Please reply if you find a solution. > > Rich > > Richard McGovern > Sr Sales Engineer, Juniper Networks > 978-618-3342 > > I’d rather be lucky than good, as I know I am not good > I don’t make the news, I just report it > > > On 11/5/20, 6:09 AM, "switch...@tutanota.com" <switch...@tutanota.com> > wrote: > > Hi, > > following only the required configuration of > > https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html > for > # Configuring MACsec Using Static Connectivity Association Key (CAK) > Mode > > works fine for two switches, but with a third EX4300 in the middle not. > > Thus, could anyone please help what is required to ensure connectivity > through > three EX4300? > > Even the configuration (A; with several tries) on the outer sides > switches such as > e.g. given for (one port) per switch > jack@cs2# set security macsec connectivity-association ca1 mka > eapol-address provider-bridge > jack@cs2# set security macsec connectivity-association ca1 mka > eapol-address lldp-multicast > jack@cs2# set protocols layer2-control mac-rewrite interface > ge-0/0/13 protocol ieee8021 > worked not for the three EX4300. > > Tunneling through a EX4200, in the middle (via vlan, snippet see > below) worked fine, even without the > configuration (A) at the outer sides switches, only with the most > important commands > given in > https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html > . > > Any idea why tunneling through the middle EX4300 failed? (Used > version: 17.3R3-S9.3!) > > Regards, > Jack > > > # PS: What is the equivalent code for EX4300 from the EX4200 code > vlan-id 55; > dot1q-tunneling { > layer2-protocol-tunneling { > all; > } > > > > Juniper Business Use Only > > > > ---------- Forwarded message ---------- > From: Richard McGovern via juniper-nsp <juniper-nsp@puck.nether.net> > To: "switch...@tutanota.com" <switch...@tutanota.com> > Cc: > Bcc: > Date: Thu, 5 Nov 2020 16:05:20 +0000 > Subject: Re: [j-nsp] Configuring of MACsec for three EX4300 Switches > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp