Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  SRX300 MACsec over Eth

    Posted 07-07-2022 10:56
    I built a Scheme in the lab to test how it works.
    Scheme:
    SRX300@1 ge-0/0/6 < -- utp -- > ge-0/0/6 SRX300#2
    Everything works well
    admin23@SRX-300_lab_98# run show security macsec connections interface ge-0/0/6
    CA name: ca1
    Cipher suite: GCM-AES-128 Encryption: off
    Key server offset: 0 Include SCI: yes
    Replay protect: off Replay window: 0
    Outbound secure channels
    SC Id: 10:39:E9:5E:F7:10/1
    Outgoing packet number: 19
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17
    Inbound secure channels
    SC Id: 10:39:E9:5F:8C:90/1
    Secure associations
    AN: 0 Status: inuse Create time: 00:00:17

    [edit]
    admin23@SRX-300_lab_98#

    but as  we install a switch in the middle of L2, and nothing works
    Scheme:
    SRX300@1 ge-0/0/6 <---> QFX5100 <--->ge-0/0/6 SRX300#2
    oro
    SRX300@1 ge-0/0/6 <---> Catalist C3650 <--->ge-0/0/6 SRX300#2

    on the transit switch, we checked various options for the mode of operation of the ports both in the Trunk and in Q-in-Q
    also tried to play with the settings and SRX does not help
    ====
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address ?
    Possible completions:
    <unicast-address> Unicast EAPOL destination address
    pae Port Access Entity group address (01:80:C2:00:00:03)
    provider-bridge Provider Bridge group address (01:80:C2:00:00:00)
    lldp-multicast Link Level Discovery Protocol multicast address (01:80:C2:00:00:0E)
    [edit]
    admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address

    ====


    Who can faced it?
    Or does MAXec not work at all on SRH300?

    Thank you in advance for your feedback and comments.


      PS
    Conf   Q-in-Q on QFX5100
    set interfaces ge-0/0/2 vlan-tagging
    set interfaces ge-0/0/2 mtu 2000
    set interfaces ge-0/0/2 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/2 unit 10 vlan-id-list 8
    set interfaces ge-0/0/2 unit 10 input-vlan-map push
    set interfaces ge-0/0/2 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/2 unit 10 output-vlan-map pop
    set interfaces ge-0/0/8 vlan-tagging
    set interfaces ge-0/0/8 mtu 2000
    set interfaces ge-0/0/8 encapsulation extended-vlan-bridge
    set interfaces ge-0/0/8 unit 10 vlan-id-list 8
    set interfaces ge-0/0/8 unit 10 input-vlan-map push
    set interfaces ge-0/0/8 unit 10 input-vlan-map vlan-id 10
    set interfaces ge-0/0/8 unit 10 output-vlan-map pop
    set vlans Q-in-Q interface ge-0/0/8.10
    set vlans Q-in-Q interface ge-0/0/2.10


  • 2.  RE: SRX300 MACsec over Eth

     
    Posted 07-07-2022 11:49
    Yes it's supported on SRX-3xx and I'm pretty sure you need to configure MACSec on the QFX if you're putting it between the SRX's.


  • 3.  RE: SRX300 MACsec over Eth

    Posted 07-08-2022 04:01
    Yes, but what if the switch is not under our control?
    The main idea is to build a MACSec L2 channel, through.

    And how to make transit, the passage of MACSec in a package through someone else's L2 transport network.
    MTU on ports swith  do 2000


  • 4.  RE: SRX300 MACsec over Eth

    Posted 07-11-2022 05:37
    Are there any other ideas?


  • 5.  RE: SRX300 MACsec over Eth

    Posted 07-08-2022 09:26
    I'm not sure if I need to configure the QFX switch further. In this case, if you join the provider's service, do you need to configure the SP side? I think the main idea is to protect yourself from the service provider? What port mode should I use to pass EAPoL packets?


    ------------------------------
    YEVHENII ZDORENKO
    ------------------------------