--- Begin Message ---
Thanks for the clarification. I don’t pretend to know the spec in detail, just
how most of Juniper functions. I know for EX products running MACsec, some sort
of tunnel needs to be present in an intermediate switch to work. This is often
why MACsec over provider network most often will not work. Generally dark fiber
is required.
Been looking for a solution for intermediate switch(es).
Thanks
Sent from my iPhone
On Nov 6, 2020, at 1:25 AM, Crist Clark <cjc+j-...@pumpky.net> wrote:
[External Email. Be cautious of content]
MACsec (802.1AE) is NOT limited to point-to-point connections.
However, many vendors have partial implementations which do have such
limitations. Juniper devices' support varies greatly by hardware platform and
software versions.
On Thu, Nov 5, 2020 at 8:06 AM Richard McGovern via juniper-nsp
<juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>> wrote:
---------- Forwarded message ----------
From: Richard McGovern <rmcgov...@juniper.net<mailto:rmcgov...@juniper.net>>
To: "switch...@tutanota.com<mailto:switch...@tutanota.com>"
<switch...@tutanota.com<mailto:switch...@tutanota.com>>
Cc: "juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>"
<juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>>
Bcc:
Date: Thu, 5 Nov 2020 16:05:20 +0000
Subject: Re: Configuring of MACsec for three EX4300 Switches
MACSEC is pt-to-pt so is your plan to run MACSEC from Point A to EX4300 and
then connect same EX4300 to Point B - two different and independent MACSEC
connections?
If you want pass-through of one session you will need to create some sort of
tunnel between EX port A to port B -(internal maybe GRE 'might' work. This is
not like say IPSec connections.
Good luck. Please reply if you find a solution.
Rich
Richard McGovern
Sr Sales Engineer, Juniper Networks
978-618-3342
I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it
On 11/5/20, 6:09 AM, "switch...@tutanota.com<mailto:switch...@tutanota.com>"
<switch...@tutanota.com<mailto:switch...@tutanota.com>> wrote:
Hi,
following only the required configuration of
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
for
# Configuring MACsec Using Static Connectivity Association Key (CAK) Mode
works fine for two switches, but with a third EX4300 in the middle not.
Thus, could anyone please help what is required to ensure connectivity
through
three EX4300?
Even the configuration (A; with several tries) on the outer sides switches
such as
e.g. given for (one port) per switch
jack@cs2# set security macsec connectivity-association ca1 mka
eapol-address provider-bridge
jack@cs2# set security macsec connectivity-association ca1 mka
eapol-address lldp-multicast
jack@cs2# set protocols layer2-control mac-rewrite interface ge-0/0/13
protocol ieee8021
worked not for the three EX4300.
Tunneling through a EX4200, in the middle (via vlan, snippet see below)
worked fine, even without the
configuration (A) at the outer sides switches, only with the most important
commands
given in
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html.
Any idea why tunneling through the middle EX4300 failed? (Used version:
17.3R3-S9.3!)
Regards,
Jack
# PS: What is the equivalent code for EX4300 from the EX4200 code
vlan-id 55;
dot1q-tunneling {
layer2-protocol-tunneling {
all;
}
Juniper Business Use Only
---------- Forwarded message ----------
From: Richard McGovern via juniper-nsp
<juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>>
To: "switch...@tutanota.com<mailto:switch...@tutanota.com>"
<switch...@tutanota.com<mailto:switch...@tutanota.com>>
Cc:
Bcc:
Date: Thu, 5 Nov 2020 16:05:20 +0000
Subject: Re: [j-nsp] Configuring of MACsec for three EX4300 Switches
_______________________________________________
juniper-nsp mailing list
juniper-nsp@puck.nether.net<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp<https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!TBPbxaxjBGsKYU4uKjxPqQpgIOJAXz1rVO5sr5Wa-2g_kI62bxJMe9LEDPQlpMG_Uw$>
--- End Message ---
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp