Security

 View Only
last person joined: 3 days ago 

Ask questions and share experiences with Juniper Connected Security. Discuss Advance Threat Protection, Policy Enforcer, SecIntel, Secure Analytics, Secure Connect, Secure Director and all things related to Juniper security technologies.

  • 1.  SRX300 MACsec over Eth

    Posted 07-07-2022 10:56
    I built a Scheme in the lab to test how it works.
    Scheme:
    SRX300@1 ge-0/0/6 < -- utp -- > ge-0/0/6 SRX300#2
    Everything works well
    admin23@SRX-300_lab_98# run show security macsec connections interface ge-0/0/6
    CA name: ca1
    Cipher suite: GCM-AES-128 Encryption: off
    Key server offset: 0 Include SCI: yes
    Replay protect: off Replay window: 0
    Outbound secure channels
    SC Id: 10:39:E9:5E:F7:10/1
    Outgoing packet number: 19
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17
    Inbound secure channels
    SC Id: 10:39:E9:5F:8C:90/1
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17

    [edit]
    admin23@SRX-300_lab_98#

    but as  we install a switch in the middle of L2, and nothing works
    Scheme:
    SRX300@1 ge-0/0/6 <---> QFX5100 <--->ge-0/0/6 SRX300#2
    oro
    SRX300@1 ge-0/0/6 <---> Catalist C3650 <--->ge-0/0/6 SRX300#2

    on the transit switch, we checked various options for the mode of operation of the ports both in the Trunk and in Q-in-Q
    also tried to play with the settings and SRX does not help
    ====
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address ?
    Possible completions:
    <unicast-address> Unicast EAPOL destination address
    pae Port Access Entity group address (01:80:C2:00:00:03)
    provider-bridge Provider Bridge group address (01:80:C2:00:00:00)
    lldp-multicast Link Level Discovery Protocol multicast address (01:80:C2:00:00:0E)
    [edit]
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address

    ====


    Who can faced it?
    Or does MAXec not work at all on SRH300?

    Thank you in advance for your feedback and comments.


      PS
    Conf   Q-in-Q on QFX5100
    set interfaces ge-0/0/2 vlan-tagging
    set interfaces ge-0/0/2 mtu 2000
    set interfaces ge-0/0/2 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/2 unit 10 vlan-id-list 8
    set interfaces ge-0/0/2 unit 10 input-vlan-map push
    set interfaces ge-0/0/2 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/2 unit 10 output-vlan-map pop
    set interfaces ge-0/0/8 vlan-tagging
    set interfaces ge-0/0/8 mtu 2000
    set interfaces ge-0/0/8 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/8 unit 10 vlan-id-list 8
    set interfaces ge-0/0/8 unit 10 input-vlan-map push
    set interfaces ge-0/0/8 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/8 unit 10 output-vlan-map pop
    set vlans Q-in-Q interface ge-0/0/8.10
    set vlans Q-in-Q interface ge-0/0/2.10


  • 2.  RE: SRX300 MACsec over Eth

     
    Posted 07-07-2022 11:49
    Yes it's supported on SRX-3xx and I'm pretty sure you need to configure MACSec on the QFX if you're putting it between the SRX's.
    Original Message


  • 3.  RE: SRX300 MACsec over Eth

    Posted 07-08-2022 04:01
    Yes, but what if the switch is not under our control?
    The main idea is to build a MACSec L2 channel, through.

    And how to make transit, the passage of MACSec in a package through someone else's L2 transport network.
    MTU on ports swith  do 2000
    Original Message


  • 4.  RE: SRX300 MACsec over Eth

    Posted 07-11-2022 05:37
    Are there any other ideas?
    Original Message


  • 5.  RE: SRX300 MACsec over Eth

    Posted 07-08-2022 09:26
    I'm not sure if I need to configure the QFX switch further. In this case, if you join the provider's service, do you need to configure the SP side? I think the main idea is to protect yourself from the service provider? What port mode should I use to pass EAPoL packets?


    ------------------------------
    YEVHENII ZDORENKO
    ------------------------------

    Original Message