Junos OS

Expand all | Collapse all

macsec on LAG with vlans

Jump to Best Answer
  • 1.  macsec on LAG with vlans

    Posted 03-25-2020 02:38

    Hi,

    Could I ask if this config is expected to work with static macsec:

    set security macsec connectivity-association NAME security-mode static-cak

    set security macsec connectivity-association NAME pre-shared-key ckn <key>

    set security macsec connectivity-association NAME pre-shared-key cak <key>

    set security macsec interfaces ae0.101 connectivity-association NAME

    set security macsec interfaces ae0.202 connectivity-association NAME

    set security macsec interfaces ae0.303 connectivity-association NAME

    #or should it be as below and remove the VLAN-ID: 

    set security macsec interfaces ae0 connectivity-association NAME



  • 2.  RE: macsec on LAG with vlans
    Best Answer

    Posted 03-25-2020 04:09

    Hi Colin, 

     

    According to me, it should be "set security macsec interfaces ae0 connectivity-association NAME"

    Because MACsec is not supported for logical aggregated interfaces. So this would not work on ae0.101 (logical ae interface) 

    Link: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html

     

    Please mark "accept as solution" if this answers your query. Kudos are appreciated too ! 

     

    Regards,
    Sharat

     


    #macsec


  • 3.  RE: macsec on LAG with vlans

    Posted 03-25-2020 05:11

    Thanks Sharat, yes the article confirms.

     

    So I appear to have options to try:

    set security macsec connectivity-association NAME security-mode static-cak

    set security macsec connectivity-association NAME pre-shared-key ckn <key>

    set security macsec connectivity-association NAME pre-shared-key cak <key>

    set security macsec interfaces ae0 connectivity-association NAME

    #or

    set security macsec connectivity-association NAME security-mode static-cak

    set security macsec connectivity-association NAME pre-shared-key ckn <key>

    set security macsec connectivity-association NAME pre-shared-key cak <key>

    set security macsec interfaces xe-0/2/0 connectivity-association NAME

    set security macsec interfaces xe-0/2/1 connectivity-association NAME

    #or

    set security macsec connectivity-association NAME security-mode static-cak

    set security macsec connectivity-association NAME pre-shared-key ckn <key>

    set security macsec connectivity-association NAME pre-shared-key cak <key>

    set security macsec interfaces xe-0/2/0 connectivity-association NAME

    set security macsec interfaces xe-0/2/1 connectivity-association NAME

    set security macsec interfaces ae0 connectivity-association NAME



  • 4.  RE: macsec on LAG with vlans

    Posted 03-25-2020 05:35

    Hi Colin, 

     

    Yes, there are different options like you said.

    Also, please mark "Accept as Solution" if my post answered your query. 

     

    Regards,
    Sharat Ainapur



  • 5.  RE: macsec on LAG with vlans

    Posted 03-25-2020 14:00

    I have it running with MACSec on physical member interfaces of a LAG on an EX4600

     

    set security macsec connectivity-association NAME security-mode static-cak

    set security macsec connectivity-association NAME pre-shared-key ckn <key>

    set security macsec connectivity-association NAME pre-shared-key cak <key>

    set security macsec interfaces xe-0/2/0 connectivity-association NAME

    set security macsec interfaces xe-0/2/1 connectivity-association NAME

     

    xe-0/2/0 and xe-0/2/1 are members of ae0

     

    I didn't have to include ae0 on the macsec configuration



  • 6.  RE: macsec on LAG with vlans

    Posted 03-30-2020 01:14

    Thank you all for your replies, that were the correct answers 🙂



  • 7.  RE: macsec on LAG with vlans

     
    Posted 03-25-2020 04:18

    Hi Colin,

     

    Macsec is not supported on logical interfaces for aggregated interfaces. So suggest you to attempt configuring it on the physical interface and check if it works.

     

    Secondly, even when Macsec is enabled on logical interface, the vlans will not be encrypted, instead are sent in clear text.

     

    Thanks and Regards,

    Pradeep Kumar M



  • 8.  RE: macsec on LAG with vlans

    Posted 03-25-2020 05:12

    Thanks for your reply Pradeep, for additional info