I've done 1g MACSEC over l2circuit or ccc just fine.. You can even do stuff like get an MX104 with a 20G MIC that supports MACSEC, loop a 1g port back into itself, carry that EoMPLS over a GRE tunnel w/ inline frag/re-assembly and do "encrypted" VPN using a pair of MX104s..
-- Tim On Tue, Oct 31, 2017 at 3:49 PM, Chuck Anderson <c...@wpi.edu> wrote: > My testing has revealed that it works, as long as the service provider > (MX) is doing something like e-line/l2circuit/CCC rather than bridging. I > even got it to work with ethernet-ccc on the MX port facing the EX4300 and > vlan-ccc on the MX port facing the core/WAN. > > However I've now run into an issue where I can only get a single MACsec > connection working on the EX4300's. As soon as I add a 2nd one, it fails > to come up. If I then reboot, neither one comes up. If I deactivate the > 2nd one, the 1st one comes up. > > On Tue, Oct 31, 2017 at 07:30:35PM +0000, Nick Cutting wrote: > > I am also interested in this - my carriers keep saying "try it" > > > > I have the config now - still have not tested - but I'm moving many of > my customer P2P links (hosted by carriers) to nexus switches that don't > support macsec. > > > > Is anyone in the enterprise doing this over e-line services? > > > > -----Original Message----- > > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On > Behalf Of Chuck Anderson > > Sent: Friday, October 27, 2017 9:39 PM > > To: juniper-nsp@puck.nether.net > > Subject: Re: [j-nsp] MACsec over a service provider > > > > This Message originated outside your organization. > > > > Destination MAC 01:80:c2:00:00:03, EtherType 0x888e (ieee8021x) is eaten > by the PE router (MX480). I'm not sure about the ASR9k at the other end of > the production scenario--it may have the same trouble. > > > > My lab is like this, with the EX2200 substituting for the ASR9k. The > idea is to have MACsec between the EX4300s, with the middle being > transparent to it. > > > > I got this working: > > > > EX4300---EX2200---EX4300 > > > > For the EX2200, I had to configure layer2-protocol-tunneling to allow > the EAPOL 802.1x through: > > > > vlans { > > MACSEC-TRANSPORT { > > vlan-id 10; > > ## > > ## Warning: requires 'dot1q-tunneling' license > > ## > > dot1q-tunneling { > > layer2-protocol-tunneling { > > all; > > } > > } > > } > > } > > > > MACsec comes up fine on both EX4300s and I can ping between them. > > > > > > But this fails: > > > > EX4300---EX2200---MX480---EX4300 > > > > I'm doing simple bridging through the MX, but the MX doesn't support the > mac-rewrite needed (ieee8021x). Anyone have any clever ideas to work > around that limitation? > > > > On Fri, Oct 27, 2017 at 05:40:57PM +0300, Elijah Zhuravlev wrote: > > > Hello > > > > > > Ethertypes 0x888e and 0x88e5 should be supported by the switching hw, > > > no any other special requirements. > > > Btw keep in the mind macsec overhead, +32. > > > > > > regards, Eli > > > > > > On Fri, 27 Oct 2017 10:23:01 -0400 > > > Chuck Anderson <c...@wpi.edu> wrote: > > > > > > > Has anyone been able to run MACsec over a service provider's > > > > Ethernet Private Line (or even just a 802.1q vlan)? I'm looking at > > > > using 10gig ports on the EX4300 or the EX4600/QFX5100-24Q with the > > > > MACsec uplink module. > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp