MACsec adding value

gmckay2e2 · ‎03-20-2013

If I'm linking branch network sites - with no servers/ applications - over an unsecure network I would likely run site to site IPSec tunnels to provide encryption.

If I wanted ALL traffic to be encrypted, I could force all users in the branches to sit behind an ASA and force connections via AnyConnect clients and I would have end to end encryption.

What value would using MACsec as an alternative provide?

Would traffic be encrypted between the last switch and the WAN router?

Thanks

Reza Sharifi · ‎03-20-2013

MACsec is layer-2 and is done hop-by-hop. Also, not every device can support it.

2.1 Benefits and Limitations

MACsec offers the following benefits on wired networks:

• Confidentiality: MACsec helps ensure data confidentiality by providing strong encryption at Layer 2.

• Integrity: MACsec provides integrity checking to help ensure that data cannot be modified in transit.

• Flexibility: You can selectively enable MACsec using a centralized policy, thereby helping ensure that MACsec is enforced where required while allowing non-MACsec-capable components to access the network.

• Network intelligence: Unlike end-to-end, Layer 3 encryption techniques that hide the contents of packets from the network devices they cross, MACsec encrypts packets on a hop-by-hop basis at Layer 2, allowing the network to inspect, monitor, mark, and forward traffic according to your existing policies.

Here is the doc for more info:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

HTH