Switching

Hi Guys,

i need to encrypt Layer 2 point to point WAN link.  I have been looking at MacSec 802.1ae and it seems to be something that will be suitable for this purpose.

I have read that the EX2200-C will support MacSec http://www.juniper.net/us/en/local/pdf/datasheets/1000388-en.pdf

So my questions are:

a) do the EX2200-24 / 48 support MacSec ?

b) what other technique could be used to encrypt layer 2 either between two EX2200 or two SRX?

thanks in advance

Hi Cognesis,

According to the 13.2X50 release notes, MACSEC is now available on EX, however it is included in a "controlled" version of code which (despite what the release notes say) is not available for download from the support site.

http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/qfx-series/release-notes/ex-qfx-series-junos-release-notes-13.2X50.pdf

(look under "Infrastructure")

I would recommend logging a JTAC ticket and seeing if they can provide it for you

As for the suitability of running this over a L2 WAN service - that I'm not sure on.  I can't find any good technical doco, but I suspect MACSEC would use link-local traffic to form adjacencies and would probably not pass through the NTU that is delivering your L2 VPN service.

If it does, please post on your experience : )

SRX/IPSEC is the best way to do it, however you won't be able to maintain an L2 IPSEC VPN - you'll need to route it.

If you are adamanet on keeping the conection L2, then an SRX using VPLSoGREoIPSEC tunnel would do the trick at the cost of complexity and MTU reduction.

MacSec was released in 13.2X50-D15, but only for EX4300, EX4550 and the special MacSec Uplink module for EX4200.

A few other EX models (like EX2200, EX3300, EX6200) lists hardware support for MacSec in their datasheets, but as far as I know it is not yet available in Junos.

It does not yet work across "L2 links"; only directly fiber, copper.