Encryption at Layer-2 or Layer-3 ??!

This is the question that often times comes to mind? Where do we need to apply encryption and why? Do we need to apply it at layer-2 which is much more low-level or do we need to apply it at layer-3 where Internet Protocol finds its definition?

Well, in the world today it is the speed of communication which every one thinks of first and talking about that, encryption at later-2 is the best option if you are sending data over a very fast network and if you do not want the flow of the traffic to be slow by any means. Layer-2 encryption reduces the overhead required by layer-3 encryption protocols or protocol suits like IPSec and reduces CPU utilization in devices applying it. Considering the great usage of VoIP nowadays and knowing that security and speed play very important roles in voice communications, layer-2 encryption for sure will be the best choice.

Having mentioned above, layer-3 encryption is still well-suited for environments where you have low-bandwidth connections and really do not have devices to support encryption at layer-2. There are also situations where companies have offices around the world and it is not anymore the matter of only a few devices but hundreds, so you need to consider the fact that encryption at layer-2 is on a hop-by-hop basis and not end-to-end just like layer-3.

Nowadays there are so many devices supporting Layer-2 encryption and it is not like the past anymore as there is a standard for it therefore there could be layer-2 encrypted communication between devices of different vendors. For instance Cisco Catalyst Switches (3560-X series and 3750-X series) now pretty well support data-link layer encryption by IEEE 802.1AE (MACsec), 802.1x REV.

So if you think that you need to apply encryption over your high-speed links and security really matters to you as well as low-latency and simplicity in management, you can for sure go for layer-2 encryption.

2 thoughts on “Encryption at Layer-2 or Layer-3 ??!

  1. Your statement; “…. so you need to consider the fact that encryption at layer-2 is on a hop-by-hop basis …” is simply wrong.

    Please see Metro Ethernet Forum standards there are L2 Service from UNI to UNI over number of hop in the middle defined. Waht you mention is waht CISCO might want that people believe.

Leave a Reply

Your email address will not be published. Required fields are marked *