[j-nsp] MACsec interoperability between MX10003 and Cisco ASR 9k?

Christian Seitz

2018-10-24 12:42:07 UTC

Hello,

Post by Christian Seitz
I'm currently trying to find out if somebody has already tested if MACsec can
be used on a 100G port between MX10003 and Cisco ASR 9k (required licenses
will be installed on both routers). Yes, MACsec is a standard, but... ;-)
Unfortunately Juniper currently has no MX10003 available in the loaner pool.
They have an MX10003 in their lab in Amsterdam, but no ASR 9k. Therefore I
cannot test is by myself and hope somebody else already made some experience.

nobody answered this email yet so I would like to answer it myself in case
somebody else is interested in this information.

Juniper was now able to deliver a loaner so we could test MACsec between the
MX10003 and an ASR 9910. As long as your JunOS is recent enough that PR1336834
("MACSec AES-GCM-256 hashing algorithm is not compatible with other vendors")
is fixed and your IOS XR has fixed CSCvg91792 ("STARLORD MACSEC - ARP is not
resolved in Octane starlord interop") MACsec just works. I have tested AES-256
between both boxes on a 100G interconnect and unicast and multicast traffic
pass the link.

Thanks and regards,

Chris
_______________________________________________
juniper-nsp mailing list juniper-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp