Re: [j-nsp] Macsec not working with carrier ethernet link
Hi Ex4300 is fine with license and as I said one of the two carriers is working. As far as I understood the carrier with problems is providing q-in-q tunneling but I still have to get a confirmation on that. @Chuck, wan macsec or macsec is not an ieee standard? Juniper doesn't have any different deployment not standard as far as I know, am I wrong? Cheers Il Gio 26 Lug 2018, 23:01 james list ha scritto: > Dear experts, > I have a virtual chassis of ex4300 connected to another vc of ex4300 with > 2 x 1 Gbs links provided by two carriers. > > Lacp aggregation is up with just one carrier1 link encrypted with macsec, > unfortunately carrier2 is not going to find the problem and macsec packet > are not transported. > > I sent them the 802.1ae standard and ethertype to transport but no way. > > As far as I could understand they have Huawei devices. > > Do you have any suggestion for me to let them verify? > > Cheers > James > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Macsec not working with carrier ethernet link
On Thu, Jul 26, 2018 at 05:24:53PM -0500, Doug McIntyre wrote: > On Thu, Jul 26, 2018 at 05:35:42PM -0400, Chuck Anderson wrote: > > Ask your Juniper rep for a feature that Cisco calls "WAN MACsec". > > Juniper calls it MACsec. "WAN MACsec" is a slightly modified version that Cisco made in order to allow it to work over carrier ethernet systems that are underpinned by protocols that block 802.1x EAPOL and 802.1ae among other L2 PDUs. It is designed to work when you can't get cooperation from your carrier. If your carrier uses L2VPN, L2circuit, or some other type of point-to-point circuit, plain MACsec should "just work" as long as their physical port handoff to your MACsec switch is untagged. However, if they use VPLS or some other p2mp protocol that does MAC learning, it most likely won't bridge the 802.1x and/or 802.1ae frames unless a special config is used on the carrier side. Juniper needs to be configured to tunnel the L2 protocols for example. > The OP probably needs to make sure the firmware is correct for his platform. > https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec.html > MACsec is also a licensed product. > Make sure the switches were ordered with the EX-QFX-MACSEC-ACC3 license. Lack of a license won't prevent it from working, at least with 14.x and 15.x--it will just warn you every time you commit. That might have changed with 17.x or 18.x. > > On Thu, Jul 26, 2018 at 11:01:37PM +0200, james list wrote: > > > Dear experts, > > > I have a virtual chassis of ex4300 connected to another vc of ex4300 with > > > 2 > > > x 1 Gbs links provided by two carriers. > > > > > > Lacp aggregation is up with just one carrier1 link encrypted with macsec, > > > unfortunately carrier2 is not going to find the problem and macsec packet > > > are not transported. > > > > > > I sent them the 802.1ae standard and ethertype to transport but no way. > > > > > > As far as I could understand they have Huawei devices. > > > > > > Do you have any suggestion for me to let them verify? > > > > > > Cheers > > > James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Macsec not working with carrier ethernet link
On Thu, Jul 26, 2018 at 05:35:42PM -0400, Chuck Anderson wrote: > Ask your Juniper rep for a feature that Cisco calls "WAN MACsec". Juniper calls it MACsec. The OP probably needs to make sure the firmware is correct for his platform. https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec.html MACsec is also a licensed product. Make sure the switches were ordered with the EX-QFX-MACSEC-ACC3 license. > On Thu, Jul 26, 2018 at 11:01:37PM +0200, james list wrote: > > Dear experts, > > I have a virtual chassis of ex4300 connected to another vc of ex4300 with 2 > > x 1 Gbs links provided by two carriers. > > > > Lacp aggregation is up with just one carrier1 link encrypted with macsec, > > unfortunately carrier2 is not going to find the problem and macsec packet > > are not transported. > > > > I sent them the 802.1ae standard and ethertype to transport but no way. > > > > As far as I could understand they have Huawei devices. > > > > Do you have any suggestion for me to let them verify? > > > > Cheers > > James > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Macsec not working with carrier ethernet link
Ask your Juniper rep for a feature that Cisco calls "WAN MACsec". On Thu, Jul 26, 2018 at 11:01:37PM +0200, james list wrote: > Dear experts, > I have a virtual chassis of ex4300 connected to another vc of ex4300 with 2 > x 1 Gbs links provided by two carriers. > > Lacp aggregation is up with just one carrier1 link encrypted with macsec, > unfortunately carrier2 is not going to find the problem and macsec packet > are not transported. > > I sent them the 802.1ae standard and ethertype to transport but no way. > > As far as I could understand they have Huawei devices. > > Do you have any suggestion for me to let them verify? > > Cheers > James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Macsec not working with carrier ethernet link
Dear experts, I have a virtual chassis of ex4300 connected to another vc of ex4300 with 2 x 1 Gbs links provided by two carriers. Lacp aggregation is up with just one carrier1 link encrypted with macsec, unfortunately carrier2 is not going to find the problem and macsec packet are not transported. I sent them the 802.1ae standard and ethertype to transport but no way. As far as I could understand they have Huawei devices. Do you have any suggestion for me to let them verify? Cheers James ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp