Can anyone tell me if they use Macsec and why?
We have some ethernet circuits to remote sites and we need to look at encryption.
Is it easy to do switch to switch encryption, much config involved?
does this bring the throughput down on the switch or is it done in asics?
We attempted to use it in our VPLS mesh setup but was not successful. Only could be really used for point to point. We stood up two sites but once we added the third leg, that broke it down. Cisco stated they couldnt support this design. This was after a few months of troubleshooting, code upgrades to address this issue (using a C9300 and moving to 16.9.1). Config was pretty basic. Cant say if the throughput was impacted or not as we were not able to fully implement. Useful link below for the C9300 platform. HTH.
I have done it, reason is gouvernment regulations.
And it's done in hardware so no impact on throughput. example config
no propagate sgt
sap pmk 0000000000000000000000000000000000000000000000000000001234ABCDEF mode-list gcm-encrypt
the same in both switches.
Here is the complete guide for the same: