Junos
Highlighted
Junos

macsec on LAG with vlans

‎03-25-2020 02:38 AM

Hi,

Could I ask if this config is expected to work with static macsec:

set security macsec connectivity-association NAME security-mode static-cak

set security macsec connectivity-association NAME pre-shared-key ckn <key>

set security macsec connectivity-association NAME pre-shared-key cak <key>

set security macsec interfaces ae0.101 connectivity-association NAME

set security macsec interfaces ae0.202 connectivity-association NAME

set security macsec interfaces ae0.303 connectivity-association NAME

#or should it be as below and remove the VLAN-ID: 

set security macsec interfaces ae0 connectivity-association NAME

7 REPLIES 7
Highlighted
Junos
Solution
Accepted by topic author colin5000
‎03-30-2020 01:12 AM

Re: macsec on LAG with vlans

‎03-25-2020 04:09 AM

Hi Colin, 

 

According to me, it should be "set security macsec interfaces ae0 connectivity-association NAME"

Because MACsec is not supported for logical aggregated interfaces. So this would not work on ae0.101 (logical ae interface) 

Link: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/macsec-configuring-mx-se...

 

Please mark "accept as solution" if this answers your query. Kudos are appreciated too ! 

 

Regards,
Sharat

 

Highlighted
Junos

Re: macsec on LAG with vlans

‎03-25-2020 04:18 AM

Hi Colin,

 

Macsec is not supported on logical interfaces for aggregated interfaces. So suggest you to attempt configuring it on the physical interface and check if it works.

 

Secondly, even when Macsec is enabled on logical interface, the vlans will not be encrypted, instead are sent in clear text.

 

Thanks and Regards,

Pradeep Kumar M

Highlighted
Junos

Re: macsec on LAG with vlans

‎03-25-2020 05:10 AM

Thanks Sharat, yes the article confirms.

 

So I appear to have options to try:

set security macsec connectivity-association NAME security-mode static-cak

set security macsec connectivity-association NAME pre-shared-key ckn <key>

set security macsec connectivity-association NAME pre-shared-key cak <key>

set security macsec interfaces ae0 connectivity-association NAME

#or

set security macsec connectivity-association NAME security-mode static-cak

set security macsec connectivity-association NAME pre-shared-key ckn <key>

set security macsec connectivity-association NAME pre-shared-key cak <key>

set security macsec interfaces xe-0/2/0 connectivity-association NAME

set security macsec interfaces xe-0/2/1 connectivity-association NAME

#or

set security macsec connectivity-association NAME security-mode static-cak

set security macsec connectivity-association NAME pre-shared-key ckn <key>

set security macsec connectivity-association NAME pre-shared-key cak <key>

set security macsec interfaces xe-0/2/0 connectivity-association NAME

set security macsec interfaces xe-0/2/1 connectivity-association NAME

set security macsec interfaces ae0 connectivity-association NAME

Highlighted
Junos

Re: macsec on LAG with vlans

‎03-25-2020 05:12 AM

Thanks for your reply Pradeep, for additional info

Highlighted
Junos

Re: macsec on LAG with vlans

‎03-25-2020 05:35 AM

Hi Colin, 

 

Yes, there are different options like you said.

Also, please mark "Accept as Solution" if my post answered your query. 

 

Regards,
Sharat Ainapur

Highlighted
Junos

Re: macsec on LAG with vlans

‎03-25-2020 01:59 PM

I have it running with MACSec on physical member interfaces of a LAG on an EX4600

 

set security macsec connectivity-association NAME security-mode static-cak

set security macsec connectivity-association NAME pre-shared-key ckn <key>

set security macsec connectivity-association NAME pre-shared-key cak <key>

set security macsec interfaces xe-0/2/0 connectivity-association NAME

set security macsec interfaces xe-0/2/1 connectivity-association NAME

 

xe-0/2/0 and xe-0/2/1 are members of ae0

 

I didn't have to include ae0 on the macsec configuration

Highlighted
Junos

Re: macsec on LAG with vlans

‎03-30-2020 01:13 AM

Thank you all for your replies, that were the correct answers 🙂

Feedback