Hello @Herman2018 

Yes, MACsec is a solid option for protecting L2 connections between HQ and branch offices, as it provides encryption at the physical layer to safeguard against eavesdropping, tampering, and other attacks...

To implement MACsec, you'll first need to verify that your hardware supports it, as not all switches or routers come with MACsec capabilities; Cisco devices like the Catalyst 9000 series typically support it. You’ll also need the appropriate licenses, such as Network Advantage or DNA Advantage.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-12/configuration_guide/sec/b_1712_sec_9300_cg/macsec_encryption.html

hi, we are planning the layer2 connection between HQ and branch offices. Is MacSec a good option to protect the data? this exactly why we use MacSec to protect the L2 DCI (data center interconnect) 
Yes sure use it 

MHM

Hello, good morning.
I hope these procedures can give you a clue and help you on how to proceed:

First: The devices must have licensing and compatibility, for example, a common series of devices is the Catalyst 9300 and 9500, and some versions of the ISR and ASR router.

Second: The configuration is done directly on the interfaces that connect the headquarters and the branches. It is necessary to configure authentication keys on the interfaces involved. Configuration example:

interface Gi1/0/1
macsec
macsec network-link
macsec encryption security-policy must-secure
mka policy name policy1

NOTE 1: Command to check the encryption status of the interface: show macsec interface
NOTE 2: *mka (MACsec Key Agreement protocol)
NOTE 3: If you are using RADIUS, configure it to support authentication of the devices that want to use the secure connection.

Third: The ideal is to check the Cisco documentation for specific commands.

Hope this helps.