02-15-2023 03:18 PM
In my scenario I have to encrypt the traffic on Layer 2 & Layer 3. My thinking is MACsec on the core switch up until it hits the ASA, then configure an IPsec tunnel for that subnet to reach the remote site ASA. In theory, the architecture would be as follows: End device -- MacSec capabable cisco switch - - ASA - - DMZSwitch - - router-- etc.
My question is, would this be a viable solution to solve for multiple methods of encryption?
and also is MACsec available on 3750x models only or is there better hardware out there? any other solutions im missing or not thinking about?
Solved! Go to Solution.
02-16-2023 03:28 AM
MACsec is supported on just about all modern Cisco switches. You can use the Cisco Feature Navigator to lookup your devices or devices you are considering purchasing and see if MACsec is suported on them.
https://cfnng.cisco.com/browse/switching/products
Just be aware that MACsec only encrypts "on-the-wire" so traffic traveling between interfaces on a switch will not be encrypted.
02-15-2023 03:31 PM
looks that is a good approach, MAC sec available new hardware platforms like Cat 9K
some good videos for reference :
02-16-2023 12:15 AM
@Hg212 MACSec is hop by hop encryption, between the switches/routers in your network - the ASA does not support MACSec, so the connectivity from the switch to ASA would be cleartext, obviously communication between the ASAs would be an IPSec VPN,
02-16-2023 03:28 AM
MACsec is supported on just about all modern Cisco switches. You can use the Cisco Feature Navigator to lookup your devices or devices you are considering purchasing and see if MACsec is suported on them.
https://cfnng.cisco.com/browse/switching/products
Just be aware that MACsec only encrypts "on-the-wire" so traffic traveling between interfaces on a switch will not be encrypted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide