Hardware MACsec as best I can tell isn't supported for those chipsets... Its curiously only supported currently by the QCA8081 chip from the RB5009 et al. The cpu is too small in the CRS326 for any meaningful throughput in software MACsec. I haven't tested or verified though, ymmv... Regards, Dirk Bermingham -----Original Message----- From: Christopher Hawker via Public <public@talk.mikrotik.com.au> Sent: Tuesday, 5 May 2026 10:37 AM To: public@talk.mikrotik.com.au Cc: Christopher Hawker <chris@thesysadmin.au> Subject: [MT-AU Public] MACsec for Dark Fibre Hello folks, We've got a dark fibre circuit being delivered over the coming weeks. We've ordered 3 x CRS326-24S+2Q+RM (one for each end plus a cold spare). Our plan is to route local network traffic over the service, which obviously requires us to secure it through some form of encryption. This then leads me to my next question. Some people I've spoken to are telling us to run an IPsec tunnel across between the two FortiGate appliances we have at either end, some are telling us to look at MACsec to offload the traffic from the L3 side of things onto L2. How new is the MACsec implementation on the CRS326? What performance benefits or detriments are we likely to see from using MACsec as opposed to IPsec tunnels? The only reason I'm considering it is because it reduces the IP overhead and reduces the workload on the FortiGate appliances. Regards, Christopher Hawker _______________________________________________ Public mailing list -- public@talk.mikrotik.com.au To unsubscribe send an email to public-leave@talk.mikrotik.com.au