Security

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advance Threat Protection, Policy Enforcer, SecIntel, Secure Analytics, Secure Connect, Secure Director and all things related to Juniper security technologies.

  • 1.  SRX300 MACsec over Eth

    Posted 07-07-2022 15:50
    I built a Scheme in the lab to test how it works.
    Scheme:
    SRX300@1 ge-0/0/6 < - utp - > ge-0/0/6 SRX300#2
    Everything works well
    admin23@SRX-300_lab_98# run show security macsec connections interface ge-0/0/6
    CA name: ca1
    Cipher suite: GCM-AES-128 Encryption: off
    Key server offset: 0 Include SCI: yes
    Replay protect: off Replay window: 0
    Outbound secure channels
    SC Id: 10:39:E9:5E:F7:10/1
    Outgoing packet number: 19
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17
    Inbound secure channels
    SC Id: 10:39:E9:5F:8C:90/1
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17

    [edit]
    admin23@SRX-300_lab_98#

    but as soon as we install a switch in the middle of L2, and nothing works
    Scheme:
    SRX300@1 ge-0/0/6 <---> QFX5100 <--->ge-0/0/6 SRX300#2
    oro
    SRX300@1 ge-0/0/6 <---> Catalist C3650 <--->ge-0/0/6 SRX300#2

    on the transit switch, we checked various options for the mode of operation of the ports both in the Trunk and in Q-in-Q
    also tried to play with the settings and SRX does not help
    ====
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address ?
    Possible completions:
    <unicast-address> Unicast EAPOL destination address
    pae Port Access Entity group address (01:80:C2:00:00:03)
    provider-bridge Provider Bridge group address (01:80:C2:00:00:00)
    lldp-multicast Link Level Discovery Protocol multicast address (01:80:C2:00:00:0E)
    [edit]
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address

    ====


    Who can faced it?
    Or does MAXec not work at all on SRH300?

    Thank you in advance for your feedback and comments.


    PS
    Conf- Q-in-Q on QFX5100
    set interfaces ge-0/0/2 vlan-tagging
    set interfaces ge-0/0/2 mtu 2000
    set interfaces ge-0/0/2 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/2 unit 10 vlan-id-list 8
    set interfaces ge-0/0/2 unit 10 input-vlan-map push
    set interfaces ge-0/0/2 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/2 unit 10 output-vlan-map pop
    set interfaces ge-0/0/8 vlan-tagging
    set interfaces ge-0/0/8 mtu 2000
    set interfaces ge-0/0/8 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/8 unit 10 vlan-id-list 8
    set interfaces ge-0/0/8 unit 10 input-vlan-map push
    set interfaces ge-0/0/8 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/8 unit 10 output-vlan-map pop
    set vlans Q-in-Q interface ge-0/0/8.10
    set vlans Q-in-Q interface ge-0/0/2.10