nanog mailing list archives
Configuring of MACsec for three EX4300 Switches
From: switch999--- via NANOG <nanog () nanog org>
Date: Fri, 23 Oct 2020 16:23:15 +0200 (CEST)
Hi, following only the required configuration of https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html for # Configuring MACsec Using Static Connectivity Association Key (CAK) Mode works fine for two switches, but with a third EX4300 in the middle not. Thus, could anyone please help what is required to ensure connectivity through three EX4300? Even the configuration (A; with several tries) on the outer sides switches such as e.g. given for (one port) per switch jack@cs2# set security macsec connectivity-association ca1 mka eapol-address provider-bridge jack@cs2# set security macsec connectivity-association ca1 mka eapol-address lldp-multicast jack@cs2# set protocols layer2-control mac-rewrite interface ge-0/0/13 protocol ieee8021 worked not for the three EX4300. Tunneling through a EX4200, in the middle (via vlan, snippet see below) worked fine, even without the configuration (A) at the outer sides switches, only with the most important commands given in https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-series.html. Any idea why tunneling through the middle EX4300 failed? (Used version: 17.3R3-S9.3!) Regards, Jack # PS: What is the equivalent code for EX4300 from the EX4200 code vlan-id 55; dot1q-tunneling { layer2-protocol-tunneling { all; }
Current thread:
- Configuring of MACsec for three EX4300 Switches switch999--- via NANOG (Oct 30)