I am trying to determine what would be the best way to encrypt our traffic on a private VPLS link between sites. We have 3 sites connected via VPLS by our ISP. All three sites have a Catalyst 3850 switch and currently have EIGRP configured. Site 1 will be the hub for this scenario so that all traffic leaving a remote site will go through site one to get anywhere it needs to get to. Sites 2 and 3 are spokes.
Initially the idea was to encrypt the traffic using MacSec but since these are switches and not routers, adding a third site raises some questions as subinterfaces are not available on the switches.
Site 1 --------------ISP VPLS -----------------------Site 2
|
|
|
Site 3
Sites 2 and 3 have 250 Mbps connectivity each and Site 1 has 500 Mbps so we would have to rate limit.
Can MacSec work for this solution? Would a different approach be recommended?
Thanks