Is it possible to use switch-to-switch MACSEC encryption between two Catalyst 9300s that are connected to different leaf switches, at different sites, of an Cisco ACI multipod setup? The MACSEC ports on either end would be connected to the same EPG in the same Bridge Domain. I have done similar with other layer 2 protocols such as LACP but I'm not sure if the encryption/decryption at both ends would break the MACSEC encryption.
9300 Site 1 <--> Leaf 1 (EPG-A/BD-A) <--> Interpod Network <--> Leaf 2 (EPG-A/BD-A) <--> 9300 Site 2
Technically, I guess it should work. The only pain point I see is the static path assignment in the EPG. Basically the traffic should be configured as untagged/native, because everything after the MAC header is encrypted.
Alternatively, what you can do is MACSEC between C9300 and Leaf1, MACSEC between Leafs and Spines, and MACSEC between Spine and IPN routers.