Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
12
Helpful
3
Replies

Layer 2 Encryption over IPsec tunnel

Go to solution
Hg212
Level 1
Level 1

‎02-15-2023 03:18 PM

In my scenario I have to encrypt the traffic on Layer 2 & Layer 3. My thinking is MACsec on the core switch up until it hits the ASA, then configure an IPsec tunnel for that subnet to reach the remote site ASA. In theory, the architecture would be as follows: End device -- MacSec capabable cisco switch - - ASA - - DMZSwitch - - router-- etc.

My question is, would this be a viable solution to solve for multiple methods of encryption? 

and also is MACsec available on 3750x models only or is there better hardware out there? any other solutions im missing or not thinking about?

1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-16-2023 03:28 AM

MACsec is supported on just about all modern Cisco switches.  You can use the Cisco Feature Navigator to lookup your devices or devices you are considering purchasing and see if MACsec is suported on them.

https://cfnng.cisco.com/browse/switching/products

Just be aware that MACsec only encrypts "on-the-wire" so traffic traveling between interfaces on a switch will not be encrypted.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-15-2023 03:31 PM

looks that is a good approach, MAC sec available new hardware platforms like Cat 9K

some good videos for reference :

https://www.youtube.com/watch?v=6ocoC4W6Hf8

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎02-16-2023 12:15 AM

@Hg212 MACSec is hop by hop encryption, between the switches/routers in your network - the ASA does not support MACSec, so the connectivity from the switch to ASA would be cleartext, obviously communication between the ASAs would be an IPSec VPN,

 

Go to solution
Marius Gunnerud
VIP
VIP

‎02-16-2023 03:28 AM

MACsec is supported on just about all modern Cisco switches.  You can use the Cisco Feature Navigator to lookup your devices or devices you are considering purchasing and see if MACsec is suported on them.

https://cfnng.cisco.com/browse/switching/products

Just be aware that MACsec only encrypts "on-the-wire" so traffic traveling between interfaces on a switch will not be encrypted.

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card