We have an existing HQ with some regional branches, and we have connected those brs to HQ through Micro-Wave data-link. currently the data is travelling is Plain-Text Form between our HQ and Brs.
So I found about Macsec Technology that can encrypte data inbetween switches. but the docs for MacSec says that MacSec encryption will be disabled if there is any (Bridge or any Devices above Layer-1 ) connected in between switches with Macsec enabled
My issue is that the Micro-Waves which connect my HQ and Branches, those micro-waves work as a Bridge, so does it means we can not have MacSec enabled in this senerio ? because of the bridge (micro-wave) existance
please give any idea
in a scenario like yours IPSec VPN at IP OSI layer3 may be the best solution.
By the way, MACSec is not so widely supported on Cisco switch platforms (= it is not a common feature and it is relative new).
The presence of a transparent bridge in the middle may be detected by reception of STP BPDUs or other L2 signalling protocol.
IF your micro-waves to ethernet bridge do not speak STP, LLDP and other L2 protocols they might be undetected. But this is something that should be tested.
on cisco switches like C3560C support of MACSec is limited to end user host facing ports in access mode,
Hope to help
As you said in my senerio VPN is the best solution. you are right. But!!! establishing vpn in my senerio is not possible. let me explain why not possible
As i said some of our branches are connected to our HQ through Micro-wave links, this means those branches terminate at our HQ through micro-wave data-link, and then they are roughted to a VPN_TRUNK link to external companies through a site-to-site vpn (which is established through internet ). let me clarify little more, my branch-X connects to my HQ directly without use of vpn, then this branch is routed to the external-company through HQ Internet-link. example: Branch--directly-connects-to-HQ-----vpn---external-company
so here wat u said "to use vpn between my branches and HQ" if i establish vpn in-between my Branch-HQ, then how the Branch is routed or can establish vpn to the External-Company through HQ-Device ? that is not possible i think, because lets say if my branch vpns to my HQ ASA-Firewall on its outside-int, then How it can revert back and establish vpn to ex-company through that HQ asa outside-int
dont think it is possible