I built a Scheme in the lab to test how it works.
Scheme:SRX300@1 ge-0/0/6 < -- utp -- > ge-0/0/6 SRX300#2
Everything works well
admin23@SRX-300_lab_98# run show security macsec connections interface ge-0/0/6CA name: ca1Cipher suite: GCM-AES-128 Encryption: offKey server offset: 0 Include SCI: yesReplay protect: off Replay window: 0Outbound secure channelsSC Id: 10:39:E9:5E:F7:10/1Outgoing packet number: 19Secure associationsAN: 0 Status: inuse Create time: 00:00:17Inbound secure channelsSC Id: 10:39:E9:5F:8C:90/1Secure associationsAN: 0 Status: inuse Create time: 00:00:17[edit]
admin23@SRX-300_lab_98#
but as we install a switch in the middle of L2, and nothing worksScheme:
SRX300@1 ge-0/0/6 <---> QFX5100 <--->ge-0/0/6 SRX300#2
oro
SRX300@1 ge-0/0/6 <---> Catalist C3650 <--->ge-0/0/6 SRX300#2
on the transit switch, we checked various options for the mode of operation of the ports both in the Trunk and in Q-in-Q
also tried to play with the settings and SRX does not help
====
admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address ?Possible completions:<unicast-address> Unicast EAPOL destination addresspae Port Access Entity group address (01:80:C2:00:00:03)provider-bridge Provider Bridge group address (01:80:C2:00:00:00)lldp-multicast Link Level Discovery Protocol multicast address (01:80:C2:00:00:0E)[edit]admin23@SRX-300_lab_98# set security macsec connectivity-association ca1 mka eapol-address====
Who can faced it?
Or does MAXec not work at all on SRH300?
Thank you in advance for your feedback and comments.
PS
Conf Q-in-Q on QFX5100
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 mtu 2000
set interfaces ge-0/0/2 encapsulation extended-vlan-bridge
set interfaces ge-0/0/2 unit 10 vlan-id-list 8
set interfaces ge-0/0/2 unit 10 input-vlan-map push
set interfaces ge-0/0/2 unit 10 input-vlan-map vlan-id 10
set interfaces ge-0/0/2 unit 10 output-vlan-map pop
set interfaces ge-0/0/8 vlan-tagging
set interfaces ge-0/0/8 mtu 2000
set interfaces ge-0/0/8 encapsulation extended-vlan-bridge
set interfaces ge-0/0/8 unit 10 vlan-id-list 8
set interfaces ge-0/0/8 unit 10 input-vlan-map push
set interfaces ge-0/0/8 unit 10 input-vlan-map vlan-id 10
set interfaces ge-0/0/8 unit 10 output-vlan-map pop
set vlans Q-in-Q interface ge-0/0/8.10
set vlans Q-in-Q interface ge-0/0/2.10