Ethernet Switching
Highlighted
Ethernet Switching

Macsec connection not coming up

‎04-20-2017 07:51 AM

The setup I have to realize is:

Juniper EX4550 ===Provider Switch===Provider Switch===Juniper EX4550

 

I was trying to tap the MACsec traffic using an EX4200 with 10G (non-MACsec) uplink module:

Juniper EX4550 =====xe-0/1/0=EX4200=xe-0/1/2=====Juniper EX4550

                                                           ||

                                                      Sniffer

 

It looks like that the EX4200 does not forward the ethertypes 0x888e eapol and 0x88e5 macsec.

The MACSec connection is not coming up.

 

Questions:

1) Is Juniper EX4550 ===Provider Switch===Provider Switch===Juniper EX4550

(L2-Ethernet-WAN connection) a supported setup and what config do I need to request from my provider?

 

2) Why is the EX4200 not transparently forwarding the MACsec traffic, despite the ethernet-switching table is correctly populated?

{master:0}

root@EX4200-Tap> show ethernet-switching table

Ethernet-switching table: 3 entries, 2 learned, 0 persistent entries

  VLAN              MAC address       Type         Age Interfaces

  vl_689            *                 Flood          - All-members

  vl_689            dc:38:e1:a1:91:03 Learn          0 xe-0/1/2.0

  vl_689            ec:13:db:2b:2b:63 Learn          0 xe-0/1/0.0

 

{master:0}

root@EX4200-Tap>

1 REPLY 1
Ethernet Switching

Re: Macsec connection not coming up

‎04-26-2017 09:53 PM

HI

I am not sure if this would help because 4200 would be dropping the traffic

However can you try the below firewall ?

family ethernet-switching {
filter test {
interface-specific;
term 1 {
from {
ether-type 0x888e;
}
then count 0x888e-count;
}
term 2 {
then accept;
}
}
}

After applying please attach the output of this command:
show firewall filter test-[interface]-I
show firewall filter test-[interface]-o

Thanks
Partha