cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
239
Views
0
Helpful
1
Replies
Highlighted
Beginner

MACsec adding value

If I'm linking branch network sites - with no servers/ applications - over an unsecure network I would likely run site to site IPSec tunnels to provide encryption.

If I wanted ALL traffic to be encrypted, I could force all users in the branches to sit behind an ASA and force connections via AnyConnect clients and I would have end to end encryption.

What value would using MACsec as an alternative provide?

Would traffic be encrypted between the last switch and the WAN router?

Thanks

1 REPLY 1
Highlighted
Hall of Fame Expert

MACsec is layer-2 and is done hop-by-hop. Also, not every device can support it.

2.1 Benefits and Limitations

MACsec offers the following benefits on wired networks:

• Confidentiality: MACsec helps ensure data confidentiality by providing strong encryption at Layer 2.

• Integrity: MACsec provides integrity checking to help ensure that data cannot be modified in transit.

• Flexibility:  You can selectively enable MACsec using a centralized policy, thereby  helping ensure that MACsec is enforced where required while allowing  non-MACsec-capable components to access the network.

• Network intelligence:  Unlike end-to-end, Layer 3 encryption techniques that hide the contents  of packets from the network devices they cross, MACsec encrypts packets  on a hop-by-hop basis at Layer 2, allowing the network to inspect,  monitor, mark, and forward traffic according to your existing policies.

Here is the doc for more info:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

HTH

Content for Community-Ad