Re: [j-nsp] MACsec over a service provider

2017-11-17 Thread Alex K. 
Sure.

But it depends on the exact circuit you have (on the exact equipment and
settings your carrier uses). Since MACSec is true point-to-point protocol,
carriers' equipment may interpret its' packets (say EAPOL), as destined for
itself - instead of forwarding it thru the pseudo wire.

As far as I remember the deployment, most of the circuits were fine with
regular (i.e. LAN) MACSec. But some required the WAN flavor. Hence wouldn't
have worked with J-gear. Anyhow, I glad you were able to sort it out.

Best regards,
Alex.

בתאריך 18 בנוב' 2017 1:43 AM,‏ "Chuck Anderson"  כתב:

In the end I discovered that CCC, l2circuit, etc. work fine for
transporting regular MACsec, no need for "WAN MACsec" or special
commands to forward dot1x frames.

I also got this to work with 2 links at the same time between the same
2 switches.  The problem I was having was related to using 1g SFP's in
EX-UM-4X4SFP in the EX4300-48P.  You have to turn off auto-neg and
force the speed to 1g.  You also have to restart the PIC or reboot
after changing an optic from 10gig to 1gig or vice versa.

On Fri, Nov 17, 2017 at 11:25:23PM +, Alex K. wrote:
> * As long as you have pure p2p links, you should be fine - Juniper gear
> meant.
>
> בתאריך 18 בנוב' 2017 1:20 AM,‏ "Alex K."  כתב:
>
> > Yes,
> >
> > But unfortunately (as far as j-nsp is considered), using Ciscos' gear.
> >
> > Cisco has a special flavor of MACSec, intended to address that issue
> > exactly - they call it WAN MACSes. We was able to use across many
different
> > SP circuits. As long as you have pure p2p links (real or stimulated),
you
> > should be fine. Unfortunately, I'm not aware of any similar Juniper
> > technique.
> >
> > Best regards,
> > Alex.
> >
> > בתאריך 27 באוק' 2017 5:23 PM,‏ "Chuck Anderson"  כתב:
> >
> > Has anyone been able to run MACsec over a service provider's Ethernet
> > Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> > module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-11-17 Thread Chuck Anderson 
In the end I discovered that CCC, l2circuit, etc. work fine for
transporting regular MACsec, no need for "WAN MACsec" or special
commands to forward dot1x frames.

I also got this to work with 2 links at the same time between the same
2 switches.  The problem I was having was related to using 1g SFP's in
EX-UM-4X4SFP in the EX4300-48P.  You have to turn off auto-neg and
force the speed to 1g.  You also have to restart the PIC or reboot
after changing an optic from 10gig to 1gig or vice versa.

On Fri, Nov 17, 2017 at 11:25:23PM +, Alex K. wrote:
> * As long as you have pure p2p links, you should be fine - Juniper gear
> meant.
> 
> בתאריך 18 בנוב' 2017 1:20 AM,‏ "Alex K."  כתב:
> 
> > Yes,
> >
> > But unfortunately (as far as j-nsp is considered), using Ciscos' gear.
> >
> > Cisco has a special flavor of MACSec, intended to address that issue
> > exactly - they call it WAN MACSes. We was able to use across many different
> > SP circuits. As long as you have pure p2p links (real or stimulated), you
> > should be fine. Unfortunately, I'm not aware of any similar Juniper
> > technique.
> >
> > Best regards,
> > Alex.
> >
> > בתאריך 27 באוק' 2017 5:23 PM,‏ "Chuck Anderson"  כתב:
> >
> > Has anyone been able to run MACsec over a service provider's Ethernet
> > Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> > module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-11-17 Thread Giuliano C. Medalha 

I think juniper gear has some mics that supoort macsec ... for mx 17.3

JNP-MIC1-MACSEC

https://www.juniper.net/documentation/en_US/junos/topics/concept/macsec-overview-mx-series.html

Or you can use a DCI to do it ... together with your router ... but maybe in 
100G interfaces only ... will check

https://www.infinera.com/technology/optical-network-security/

Att

Giuliano



Giuliano C. Medalha
WZTECH NETWORKS
+55 (17) 98112-5394
giuli...@wztech.com.br

From: juniper-nsp <juniper-nsp-boun...@puck.nether.net> on behalf of Alex K. 
<nsp.li...@gmail.com>
Sent: Friday, November 17, 2017 9:20:55 PM
To: juniper-nsp
Subject: Re: [j-nsp] MACsec over a service provider

Yes,

But unfortunately (as far as j-nsp is considered), using Ciscos' gear.

Cisco has a special flavor of MACSec, intended to address that issue
exactly - they call it WAN MACSes. We was able to use across many different
SP circuits. As long as you have pure p2p links (real or stimulated), you
should be fine. Unfortunately, I'm not aware of any similar Juniper
technique.

Best regards,
Alex.

בתאריך 27 באוק' 2017 5:23 PM,‏ "Chuck Anderson" <c...@wpi.edu> כתב:

Has anyone been able to run MACsec over a service provider's Ethernet
Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

WZTECH is registered trademark of WZTECH NETWORKS.
Copyright © 2017 WZTECH NETWORKS. All Rights Reserved.

IMPORTANTE:
As informações deste e-mail e o conteúdo dos eventuais documentos anexos são 
confidenciais e para conhecimento exclusivo do destinatário. Se o leitor desta 
mensagem não for o seu destinatário, fica desde já notificado de que não poderá 
divulgar, distribuir ou, sob qualquer forma, dar conhecimento a terceiros das 
informações e do conteúdo dos documentos anexos. Neste caso, favor comunicar 
imediatamente o remetente, respondendo este e-mail ou telefonando ao mesmo, e 
em seguida apague-o.

CONFIDENTIALITY NOTICE:
The information transmitted in this email message and any attachments are 
solely for the intended recipient and may contain confidential or privileged 
information. If you are not the intended recipient, any review, transmission, 
dissemination or other use of this information is prohibited. If you have 
received this communication in error, please notify the sender immediately and 
delete the material from any computer, including any copies.

WZTECH is registered trademark of WZTECH NETWORKS.
Copyright © 2017 WZTECH NETWORKS. All Rights Reserved.

IMPORTANTE:
As informações deste e-mail e o conteúdo dos eventuais documentos anexos são 
confidenciais e para conhecimento exclusivo do destinatário. Se o leitor desta 
mensagem não for o seu destinatário, fica desde já notificado de que não poderá 
divulgar, distribuir ou, sob qualquer forma, dar conhecimento a terceiros das 
informações e do conteúdo dos documentos anexos. Neste caso, favor comunicar 
imediatamente o remetente, respondendo este e-mail ou telefonando ao mesmo, e 
em seguida apague-o.

CONFIDENTIALITY NOTICE:
The information transmitted in this email message and any attachments are 
solely for the intended recipient and may contain confidential or privileged 
information. If you are not the intended recipient, any review, transmission, 
dissemination or other use of this information is prohibited. If you have 
received this communication in error, please notify the sender immediately and 
delete the material from any computer, including any copies.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-11-17 Thread Alex K. 
* As long as you have pure p2p links, you should be fine - Juniper gear
meant.

בתאריך 18 בנוב' 2017 1:20 AM,‏ "Alex K."  כתב:

> Yes,
>
> But unfortunately (as far as j-nsp is considered), using Ciscos' gear.
>
> Cisco has a special flavor of MACSec, intended to address that issue
> exactly - they call it WAN MACSes. We was able to use across many different
> SP circuits. As long as you have pure p2p links (real or stimulated), you
> should be fine. Unfortunately, I'm not aware of any similar Juniper
> technique.
>
> Best regards,
> Alex.
>
> בתאריך 27 באוק' 2017 5:23 PM,‏ "Chuck Anderson"  כתב:
>
> Has anyone been able to run MACsec over a service provider's Ethernet
> Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> module.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-11-17 Thread Alex K. 
Yes,

But unfortunately (as far as j-nsp is considered), using Ciscos' gear.

Cisco has a special flavor of MACSec, intended to address that issue
exactly - they call it WAN MACSes. We was able to use across many different
SP circuits. As long as you have pure p2p links (real or stimulated), you
should be fine. Unfortunately, I'm not aware of any similar Juniper
technique.

Best regards,
Alex.

בתאריך 27 באוק' 2017 5:23 PM,‏ "Chuck Anderson"  כתב:

Has anyone been able to run MACsec over a service provider's Ethernet
Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-31 Thread Tim Jackson 
I've done 1g MACSEC over l2circuit or ccc just fine.. You can even do stuff
like get an MX104 with a 20G MIC that supports MACSEC, loop a 1g port back
into itself, carry that EoMPLS over a GRE tunnel w/ inline frag/re-assembly
and do "encrypted" VPN using a pair of MX104s..

--
Tim

On Tue, Oct 31, 2017 at 3:49 PM, Chuck Anderson <c...@wpi.edu> wrote:

> My testing has revealed that it works, as long as the service provider
> (MX) is doing something like e-line/l2circuit/CCC rather than bridging.  I
> even got it to work with ethernet-ccc on the MX port facing the EX4300 and
> vlan-ccc on the MX port facing the core/WAN.
>
> However I've now run into an issue where I can only get a single MACsec
> connection working on the EX4300's.  As soon as I add a 2nd one, it fails
> to come up.  If I then reboot, neither one comes up.  If I deactivate the
> 2nd one, the 1st one comes up.
>
> On Tue, Oct 31, 2017 at 07:30:35PM +, Nick Cutting wrote:
> > I am also interested in this - my carriers keep saying "try it"
> >
> > I have the config now - still have not tested - but I'm moving many of
> my customer P2P links (hosted by carriers) to nexus switches that don't
> support macsec.
> >
> > Is anyone in the enterprise doing this over e-line services?
> >
> > -Original Message-
> > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On
> Behalf Of Chuck Anderson
> > Sent: Friday, October 27, 2017 9:39 PM
> > To: juniper-nsp@puck.nether.net
> > Subject: Re: [j-nsp] MACsec over a service provider
> >
> > This Message originated outside your organization.
> >
> > Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten
> by the PE router (MX480).  I'm not sure about the ASR9k at the other end of
> the production scenario--it may have the same trouble.
> >
> > My lab is like this, with the EX2200 substituting for the ASR9k.  The
> idea is to have MACsec between the EX4300s, with the middle being
> transparent to it.
> >
> > I got this working:
> >
> > EX4300---EX2200---EX4300
> >
> > For the EX2200, I had to configure layer2-protocol-tunneling to allow
> the EAPOL 802.1x through:
> >
> > vlans {
> > MACSEC-TRANSPORT {
> > vlan-id 10;
> > ##
> > ## Warning: requires 'dot1q-tunneling' license
> > ##
> > dot1q-tunneling {
> > layer2-protocol-tunneling {
> > all;
> > }
> > }
> > }
> > }
> >
> > MACsec comes up fine on both EX4300s and I can ping between them.
> >
> >
> > But this fails:
> >
> > EX4300---EX2200---MX480---EX4300
> >
> > I'm doing simple bridging through the MX, but the MX doesn't support the
> mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to work
> around that limitation?
> >
> > On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> > > Hello
> > >
> > > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw,
> > > no any other special requirements.
> > > Btw keep in the mind macsec overhead, +32.
> > >
> > > regards, Eli
> > >
> > > On Fri, 27 Oct 2017 10:23:01 -0400
> > > Chuck Anderson <c...@wpi.edu> wrote:
> > >
> > > > Has anyone been able to run MACsec over a service provider's
> > > > Ethernet Private Line (or even just a 802.1q vlan)?  I'm looking at
> > > > using 10gig ports on the EX4300 or the EX4600/QFX5100-24Q with the
> > > > MACsec uplink module.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-31 Thread Chuck Anderson 
My testing has revealed that it works, as long as the service provider (MX) is 
doing something like e-line/l2circuit/CCC rather than bridging.  I even got it 
to work with ethernet-ccc on the MX port facing the EX4300 and vlan-ccc on the 
MX port facing the core/WAN.

However I've now run into an issue where I can only get a single MACsec 
connection working on the EX4300's.  As soon as I add a 2nd one, it fails to 
come up.  If I then reboot, neither one comes up.  If I deactivate the 2nd one, 
the 1st one comes up.

On Tue, Oct 31, 2017 at 07:30:35PM +, Nick Cutting wrote:
> I am also interested in this - my carriers keep saying "try it"
> 
> I have the config now - still have not tested - but I'm moving many of my 
> customer P2P links (hosted by carriers) to nexus switches that don't support 
> macsec.
> 
> Is anyone in the enterprise doing this over e-line services? 
> 
> -Original Message-
> From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of 
> Chuck Anderson
> Sent: Friday, October 27, 2017 9:39 PM
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] MACsec over a service provider
> 
> This Message originated outside your organization.
> 
> Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten by 
> the PE router (MX480).  I'm not sure about the ASR9k at the other end of the 
> production scenario--it may have the same trouble.
> 
> My lab is like this, with the EX2200 substituting for the ASR9k.  The idea is 
> to have MACsec between the EX4300s, with the middle being transparent to it.
> 
> I got this working:
> 
> EX4300---EX2200---EX4300
> 
> For the EX2200, I had to configure layer2-protocol-tunneling to allow the 
> EAPOL 802.1x through:
> 
> vlans {
> MACSEC-TRANSPORT {
> vlan-id 10;
> ##
> ## Warning: requires 'dot1q-tunneling' license
> ##
> dot1q-tunneling {
> layer2-protocol-tunneling {
> all;
> }
> }
> }
> }
> 
> MACsec comes up fine on both EX4300s and I can ping between them.
> 
> 
> But this fails:
> 
> EX4300---EX2200---MX480---EX4300
> 
> I'm doing simple bridging through the MX, but the MX doesn't support the 
> mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to work around 
> that limitation?
> 
> On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> > Hello
> > 
> > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw, 
> > no any other special requirements.
> > Btw keep in the mind macsec overhead, +32.
> > 
> > regards, Eli
> > 
> > On Fri, 27 Oct 2017 10:23:01 -0400
> > Chuck Anderson <c...@wpi.edu> wrote:
> > 
> > > Has anyone been able to run MACsec over a service provider's 
> > > Ethernet Private Line (or even just a 802.1q vlan)?  I'm looking at 
> > > using 10gig ports on the EX4300 or the EX4600/QFX5100-24Q with the 
> > > MACsec uplink module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-27 Thread Chuck Anderson 
Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is
eaten by the PE router (MX480).  I'm not sure about the ASR9k at the
other end of the production scenario--it may have the same trouble.

My lab is like this, with the EX2200 substituting for the ASR9k.  The
idea is to have MACsec between the EX4300s, with the middle being
transparent to it.

I got this working:

EX4300---EX2200---EX4300

For the EX2200, I had to configure layer2-protocol-tunneling to allow
the EAPOL 802.1x through:

vlans {
MACSEC-TRANSPORT {
vlan-id 10;
##
## Warning: requires 'dot1q-tunneling' license
##
dot1q-tunneling {
layer2-protocol-tunneling {
all;
}
}
}
}

MACsec comes up fine on both EX4300s and I can ping between them.


But this fails:

EX4300---EX2200---MX480---EX4300

I'm doing simple bridging through the MX, but the MX doesn't support
the mac-rewrite needed (ieee8021x).  Anyone have any clever ideas to
work around that limitation?

On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote:
> Hello
> 
> Ethertypes 0x888e and 0x88e5 should be supported by the switching hw,
> no any other special requirements. 
> Btw keep in the mind macsec overhead, +32.
> 
> regards, Eli
> 
> On Fri, 27 Oct 2017 10:23:01 -0400
> Chuck Anderson  wrote:
> 
> > Has anyone been able to run MACsec over a service provider's Ethernet
> > Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> > ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> > module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-27 Thread Elijah Zhuravlev 
Sorry, 32b overhead is for my installation, it may vary.

regards, Eli

On Fri, 27 Oct 2017 10:23:01 -0400
Chuck Anderson  wrote:

> Has anyone been able to run MACsec over a service provider's Ethernet
> Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> module.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> !DSPAM:59f3416c247072063812221!
> 
> 



___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MACsec over a service provider

2017-10-27 Thread Elijah Zhuravlev 
Hello

Ethertypes 0x888e and 0x88e5 should be supported by the switching hw,
no any other special requirements. 
Btw keep in the mind macsec overhead, +32.

regards, Eli

On Fri, 27 Oct 2017 10:23:01 -0400
Chuck Anderson  wrote:

> Has anyone been able to run MACsec over a service provider's Ethernet
> Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
> ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
> module.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> !DSPAM:59f3416c247072063812221!
> 
> 

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

[j-nsp] MACsec over a service provider

2017-10-27 Thread Chuck Anderson 
Has anyone been able to run MACsec over a service provider's Ethernet
Private Line (or even just a 802.1q vlan)?  I'm looking at using 10gig
ports on the EX4300 or the EX4600/QFX5100-24Q with the MACsec uplink
module.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp