date:20191127

Re: [j-nsp] Event script to advertise DHCP issued IP in LLDP?

2019-11-27 Thread Martin Tonusoo

Hi Matt,

> This is probably a feature request, but maybe another
> creative solution is possible? Thanks.

What if you simply periodically check the address on IRB interface and if
this differs from the LLDP management-address, then configure latter
accordingly? Something like this:
https://github.com/jumation/mgmt-IP-to-LLDP


WBR,
Martin
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [EXT] Re: MX204 MACsec

2019-11-27 Thread Anderson, Charles R

Interesting.  I wonder if this falls under "This is implemented, but not 
supported by JTAC."  You'd have to actually try it to see...

On Wed, Nov 27, 2019 at 01:18:29PM -0600, Aaron Gould wrote:
> [edit]
> me@site2-204-3# show | compare
> [edit]
> +  security {
> +  macsec {
> +  connectivity-association my-ca1 {
> +  security-mode static-cak;
> +  mka {
> +  transmit-interval 6000;
> +  key-server-priority 0;
> +  }
> +  replay-protect {
> +  replay-window-size 5;
> +  }
> +  offset 30;
> +  pre-shared-key {
> +  ckn (i removed);
> +  cak "(i removed)"; ## SECRET-DATA
> +  }
> +  exclude-protocol lldp;
> +  }
> +  interfaces {
> +  xe-0/1/0 {
> +  connectivity-association my-ca1;
> +  }
> +  }
> +  }
> +  }
> 
> [edit]
> me@site2-204-3# commit check
> configuration check succeeds
> 
> [edit]
> me@site2-204-3# show security
> macsec {
> connectivity-association my-ca1 {
> security-mode static-cak;
> mka {
> transmit-interval 6000;
> key-server-priority 0;
> }
> replay-protect {
> replay-window-size 5;
> }
> offset 30;
> pre-shared-key {
> ckn (i removed);
> cak "(i removed)"; ## SECRET-DATA
> }
> exclude-protocol lldp;
> }
> interfaces {
> xe-0/1/0 {
> connectivity-association my-ca1;
> }
> }
> }
> 
> [edit]
> me@site2-204-3#
> 
> 
> 
> - Aaron
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [EXT] Re: MX204 MACsec

2019-11-27 Thread Aaron Gould

[edit]
me@site2-204-3# show | compare
[edit]
+  security {
+  macsec {
+  connectivity-association my-ca1 {
+  security-mode static-cak;
+  mka {
+  transmit-interval 6000;
+  key-server-priority 0;
+  }
+  replay-protect {
+  replay-window-size 5;
+  }
+  offset 30;
+  pre-shared-key {
+  ckn (i removed);
+  cak "(i removed)"; ## SECRET-DATA
+  }
+  exclude-protocol lldp;
+  }
+  interfaces {
+  xe-0/1/0 {
+  connectivity-association my-ca1;
+  }
+  }
+  }
+  }

[edit]
me@site2-204-3# commit check
configuration check succeeds

[edit]
me@site2-204-3# show security
macsec {
connectivity-association my-ca1 {
security-mode static-cak;
mka {
transmit-interval 6000;
key-server-priority 0;
}
replay-protect {
replay-window-size 5;
}
offset 30;
pre-shared-key {
ckn (i removed);
cak "(i removed)"; ## SECRET-DATA
}
exclude-protocol lldp;
}
interfaces {
xe-0/1/0 {
connectivity-association my-ca1;
}
}
}

[edit]
me@site2-204-3#



- Aaron

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [EXT] Re: MX204 MACsec

2019-11-27 Thread Anderson, Charles R

On Wed, Nov 27, 2019 at 12:54:01PM -0600, Aaron Gould wrote:
> Before or after I do that config test ?  Asking since I didn't commit that
> as it's on a MX204 in a far-away place during a thanksgiving week
> network-change moratorium, I'm treading on thin ice.  LOL

Either.  No need to commit, just show the config before you try to commit or 
commit check.  Here is an example of how it looks when you try to configure an 
unsupported feature:

{master:0}[edit firewall family ethernet-switching filter TEST]
user@ex4300# show
term 1 {
from {
##
## Warning: configuration block ignored: unsupported platform 
(ex4300-48p)
##
source-address {
10.0.0.0/16;
...

user@ex4300# rollback
user@ex4300# exit
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [EXT] Re: MX204 MACsec

2019-11-27 Thread Aaron Gould

Before or after I do that config test ?  Asking since I didn't commit that
as it's on a MX204 in a far-away place during a thanksgiving week
network-change moratorium, I'm treading on thin ice.  LOL

-Aaron


___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] [EXT] Re: MX204 MACsec

2019-11-27 Thread Anderson, Charles R

Can you do "show security" and see if there as a message about "unsupported"?

On Wed, Nov 27, 2019 at 10:50:07AM -0600, Aaron Gould wrote:
> Not knowing much about this, but going from this site's guidance ( I stopped 
> halfway down the page ) , 
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html
> 
> ...i did the following... 
> 
> [edit]
> me@site2-204-3# show | compare
> [edit]
> +  security {
> +  macsec {
> +  connectivity-association my-ca1 {
> +  security-mode static-cak;
> +  mka {
> +  transmit-interval 6000;
> +  key-server-priority 0;
> +  }
> +  replay-protect {
> +  replay-window-size 5;
> +  }
> +  offset 30;
> +  pre-shared-key {
> +  ckn 
> 37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311;
> +  cak 
> "$9$9Zp0tBIhSrlM8n/0IhcleaZGD.P5T36/tPfIESr8LVwY4UjfTzn9AF3A0BIrlaZGjmfFn/CA0JGjqP5F3evM8X-oJGDHqLx";
>  ## SECRET-DATA
> +  }
> +  exclude-protocol lldp;
> +  }
> +  interfaces {
> +  xe-0/1/0 {
> +  connectivity-association my-ca1;
> +  }
> +  }
> +  }
> +  }
> 
> [edit]
> me@site2-204-3# commit check
> configuration check succeeds
> 
> [edit]
> me@site2-204-3#
> 
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 MACsec

2019-11-27 Thread Richard McGovern via juniper-nsp

--- Begin Message ---
So it looks SW allows for the commands, as other MX products do have MACsec 
support.  I am 99.999% sure these commands will do nothing but make your config 
file larger.

Thanks for the input.  Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks 
978-618-3342
 
I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it
 

On 11/27/19, 11:50 AM, "Aaron Gould"  wrote:

Not knowing much about this, but going from this site's guidance ( I 
stopped halfway down the page ) , 
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html

...i did the following... 

[edit]
me@site2-204-3# show | compare
[edit]
+  security {
+  macsec {
+  connectivity-association my-ca1 {
+  security-mode static-cak;
+  mka {
+  transmit-interval 6000;
+  key-server-priority 0;
+  }
+  replay-protect {
+  replay-window-size 5;
+  }
+  offset 30;
+  pre-shared-key {
+  ckn 
37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311;
+  cak 
"$9$9Zp0tBIhSrlM8n/0IhcleaZGD.P5T36/tPfIESr8LVwY4UjfTzn9AF3A0BIrlaZGjmfFn/CA0JGjqP5F3evM8X-oJGDHqLx";
 ## SECRET-DATA
+  }
+  exclude-protocol lldp;
+  }
+  interfaces {
+  xe-0/1/0 {
+  connectivity-association my-ca1;
+  }
+  }
+  }
+  }

[edit]
me@site2-204-3# commit check
configuration check succeeds

[edit]
me@site2-204-3#



- Aaron



--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 MACsec

2019-11-27 Thread Aaron Gould

Not knowing much about this, but going from this site's guidance ( I stopped 
halfway down the page ) , 
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html

...i did the following... 

[edit]
me@site2-204-3# show | compare
[edit]
+  security {
+  macsec {
+  connectivity-association my-ca1 {
+  security-mode static-cak;
+  mka {
+  transmit-interval 6000;
+  key-server-priority 0;
+  }
+  replay-protect {
+  replay-window-size 5;
+  }
+  offset 30;
+  pre-shared-key {
+  ckn 
37c9c2c45ddd012aa5bc8ef284aa23ff6729ee2e4acb66e91fe34ba2cd9fe311;
+  cak 
"$9$9Zp0tBIhSrlM8n/0IhcleaZGD.P5T36/tPfIESr8LVwY4UjfTzn9AF3A0BIrlaZGjmfFn/CA0JGjqP5F3evM8X-oJGDHqLx";
 ## SECRET-DATA
+  }
+  exclude-protocol lldp;
+  }
+  interfaces {
+  xe-0/1/0 {
+  connectivity-association my-ca1;
+  }
+  }
+  }
+  }

[edit]
me@site2-204-3# commit check
configuration check succeeds

[edit]
me@site2-204-3#



- Aaron

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 MACsec

2019-11-27 Thread Richard McGovern via juniper-nsp

--- Begin Message ---
Oh, I am sure the commands are there in the CLI as Juniper generally does not 
"hide' non-affecting functions from the CLI, on a per product basis.  If 
actually used you 'might' get a "unsupported on this platform" message, when 
you try to commit.  For sure if used, these commands will do nothing.  I am 
like 99.9% sure of that.

If possible maybe you could config and then perform a commit check to see what 
results you get?  I do not have a MX204 handy to try this.

Thanks and regards, Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks 
978-618-3342
 
I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it
 

On 11/27/19, 11:17 AM, "Aaron Gould"  wrote:

I don't know much about this, but, for what it's worth, I do see this on one
of my MX204's...

me@site2-204-3# set security macsec connectivity-association test ?
Possible completions:
  <[Enter]>Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  cipher-suite Cipher suite to be used for encryption
> exclude-protocol Configure protocols to exclude from MAC Security
  include-sci  Include secure channel identifier in MAC Security PDU
> mka  Configure MAC Security Key Agreement protocol
properties
  no-encryptionDisable encryption
  offset   Confidentiality offset
> pre-shared-key   Configure pre-shared connectivity association key
  pre-shared-key-chain  Pre-shared key chain name for connectivity
association
> replay-protect   Configure replay protection
> secure-channel   Configure secure channel properties
  security-modeConnectivity association mode
  |Pipe through a command

[edit]
me@site2-204-3# exit
Exiting configuration mode

me@site2-204-3> show system information
Model: mx204
Family: junos
Junos: 18.4R1-S3.1
Hostname: site2-204-3

me@site2-204-3>


-Aaron



--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 MACsec

2019-11-27 Thread Aaron Gould

I don't know much about this, but, for what it's worth, I do see this on one
of my MX204's...

me@site2-204-3# set security macsec connectivity-association test ?
Possible completions:
  <[Enter]>Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  cipher-suite Cipher suite to be used for encryption
> exclude-protocol Configure protocols to exclude from MAC Security
  include-sci  Include secure channel identifier in MAC Security PDU
> mka  Configure MAC Security Key Agreement protocol
properties
  no-encryptionDisable encryption
  offset   Confidentiality offset
> pre-shared-key   Configure pre-shared connectivity association key
  pre-shared-key-chain  Pre-shared key chain name for connectivity
association
> replay-protect   Configure replay protection
> secure-channel   Configure secure channel properties
  security-modeConnectivity association mode
  |Pipe through a command

[edit]
me@site2-204-3# exit
Exiting configuration mode

me@site2-204-3> show system information
Model: mx204
Family: junos
Junos: 18.4R1-S3.1
Hostname: site2-204-3

me@site2-204-3>


-Aaron

___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] MX204 MACsec

2019-11-27 Thread Richard McGovern via juniper-nsp

--- Begin Message ---
I am fairly certain the original link that Graham posted - 
https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFName=Media%20Access%20Control%20Security%20(MACsec)
  - where it shows that the MX204 has support for Unicast MAC DA for MACsec is 
inaccurate.  One would first need MACsec support to support this extra feature, 
and the MX204 does NOT have MACsec [HW] support, as Roger pointed out.

I will try to get this inaccuracy corrected.

Just FYI, Rich

Richard McGovern
Sr Sales Engineer, Juniper Networks 
978-618-3342
 
I’d rather be lucky than good, as I know I am not good
I don’t make the news, I just report it
 

On 11/26/19, 7:12 PM, "Mohammad Khalil"  wrote:

Thank you very much.

On Tue, 26 Nov 2019 at 22:33, Roger Wiklund  wrote:

> Here you go
>
>
> 
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/understanding_media_access_control_security_qfx_ex.html#jd0e108
>
>
> On Tue, Nov 26, 2019 at 9:29 PM Mohammad Khalil 
> wrote:
>
>> Thanks Roger for the kind feedback.
>> Is there any HW related documentation I can use for this?
>>
>> On Tue, 26 Nov 2019 at 22:28, Roger Wiklund 
>> wrote:
>>
>>> Hi
>>>
>>> MX204 does not support MACsec, it lacks the hardware for it.
>>>
>>>
>>>
>>> On Tue, Nov 26, 2019 at 9:04 PM Mohammad Khalil 
>>> wrote:
>>>
 Thanks Graham for the kind reply.
 But in general that means MACsec standard 802.1ae is not support on
 MX204
 ports?

 Thanks again

 On Tue, 26 Nov 2019 at 21:44, Graham Brown <
 juniper-...@grahambrown.info>
 wrote:

 > Hi Mohammad,
 >
 > The following link displays specific elements pertaining to MACSec
 support
 > on various Juniper platforms, MX204 included:
 >
 
https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFName=Media%20Access%20Control%20Security%20(MACsec)
 >
 >
 > Review the link and ask the customer for clarification on what they
 > require to be supported from the equipment. Depending on what the
 > requirements are, the MX204 may be able to secure the L2 elements for
 your
 > customer.
 >
 > HTH,
 > Graham
 >
 > Graham Brown
 > Twitter - @mountainrescuer 

 > LinkedIn 

 >
 >
 > On Wed, 27 Nov 2019 at 08:39, Mohammad Khalil 
 wrote:
 >
 >> Dears
 >> I am working with a customer and MX204 is in play.
 >> The customer concern is MACsec feature support , I have read around
 >> that MX204 doesn’t Support a real MACSEC, but offers unicast MAC DA
 for
 >> MACsec and MACsec with fallback PSK are which related to allow
 exchanging
 >> and establishing Macsec connections.
 >> So frankly MX204 does not support MACsec or am I missing something?
 >>
 >> Thanks
 >> ___
 >> juniper-nsp mailing list juniper-nsp@puck.nether.net
 >> 
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!8WoA6RjC81c!UHGI_Mb1oXZlTiCFR8_FUyBeKvhoVEZvYb4AHYnNKMQe2Q7-4YA9vOgO1s-Bo4W0CQ$
 
 >>
 >
 ___
 juniper-nsp mailing list juniper-nsp@puck.nether.net
 
https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!8WoA6RjC81c!UHGI_Mb1oXZlTiCFR8_FUyBeKvhoVEZvYb4AHYnNKMQe2Q7-4YA9vOgO1s-Bo4W0CQ$
 

>>>



--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Event script to advertise DHCP issued IP in LLDP?

Re: [j-nsp] [EXT] Re: MX204 MACsec

Re: [j-nsp] [EXT] Re: MX204 MACsec

Re: [j-nsp] [EXT] Re: MX204 MACsec

Re: [j-nsp] [EXT] Re: MX204 MACsec

Re: [j-nsp] [EXT] Re: MX204 MACsec

Re: [j-nsp] MX204 MACsec

Re: [j-nsp] MX204 MACsec

Re: [j-nsp] MX204 MACsec

Re: [j-nsp] MX204 MACsec

Re: [j-nsp] MX204 MACsec

11 matches

Site Navigation

Mail list logo

Footer information