Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.

  • 1.  SRX300 MACsec over Eth

    Posted 07-07-2022 15:50
    I built a Scheme in the lab to test how it works.
    Scheme:
    SRX300@1 ge-0/0/6 < - utp - > ge-0/0/6 SRX300#2
    Everything works well
    admin23@SRX-300_lab_98# run show security macsec connections interface ge-0/0/6
    CA name: ca1
    Cipher suite: GCM-AES-128 Encryption: off
    Key server offset: 0 Include SCI: yes
    Replay protect: off Replay window: 0
    Outbound secure channels
    SC Id: 10:39:E9:5E:F7:10/1
    Outgoing packet number: 19
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17
    Inbound secure channels
    SC Id: 10:39:E9:5F:8C:90/1
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17

    [edit]
    admin23@SRX-300_lab_98#

    but as soon as we install a switch in the middle of L2, and nothing works
    Scheme:
    SRX300@1 ge-0/0/6 <---> QFX5100 <--->ge-0/0/6 SRX300#2
    oro
    SRX300@1 ge-0/0/6 <---> Catalist C3650 <--->ge-0/0/6 SRX300#2

    on the transit switch, we checked various options for the mode of operation of the ports both in the Trunk and in Q-in-Q
    also tried to play with the settings and SRX does not help
    ====
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address ?
    Possible completions:
    <unicast-address> Unicast EAPOL destination address
    pae Port Access Entity group address (01:80:C2:00:00:03)
    provider-bridge Provider Bridge group address (01:80:C2:00:00:00)
    lldp-multicast Link Level Discovery Protocol multicast address (01:80:C2:00:00:0E)
    [edit]
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address

    ====


    Who can faced it?
    Or does MAXec not work at all on SRH300?

    Thank you in advance for your feedback and comments.


    PS
    Conf- Q-in-Q on QFX5100
    set interfaces ge-0/0/2 vlan-tagging
    set interfaces ge-0/0/2 mtu 2000
    set interfaces ge-0/0/2 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/2 unit 10 vlan-id-list 8
    set interfaces ge-0/0/2 unit 10 input-vlan-map push
    set interfaces ge-0/0/2 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/2 unit 10 output-vlan-map pop
    set interfaces ge-0/0/8 vlan-tagging
    set interfaces ge-0/0/8 mtu 2000
    set interfaces ge-0/0/8 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/8 unit 10 vlan-id-list 8
    set interfaces ge-0/0/8 unit 10 input-vlan-map push
    set interfaces ge-0/0/8 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/8 unit 10 output-vlan-map pop
    set vlans Q-in-Q interface ge-0/0/8.10
    set vlans Q-in-Q interface ge-0/0/2.10