What risk are you trying to mitigate ? Reason i ask - i have spent some time in the banking finance area We looked at this issue dark fibre and it being compromised - it was interesting to know a lot of big (ASX / CBA / RBA ) places didn't encrypt that traffic specifically. Thats not to say they don't encrypt data Curious to know what your scenario is On Tue, May 5, 2026 at 10:51 AM TFM Cloud - Dirk Bermingham via Public < public@talk.mikrotik.com.au> wrote:
Hardware MACsec as best I can tell isn't supported for those chipsets... Its curiously only supported currently by the QCA8081 chip from the RB5009 et al.
The cpu is too small in the CRS326 for any meaningful throughput in software MACsec.
I haven't tested or verified though, ymmv...
Regards,
Dirk Bermingham
-----Original Message----- From: Christopher Hawker via Public <public@talk.mikrotik.com.au> Sent: Tuesday, 5 May 2026 10:37 AM To: public@talk.mikrotik.com.au Cc: Christopher Hawker <chris@thesysadmin.au> Subject: [MT-AU Public] MACsec for Dark Fibre
Hello folks,
We've got a dark fibre circuit being delivered over the coming weeks. We've ordered 3 x CRS326-24S+2Q+RM (one for each end plus a cold spare). Our plan is to route local network traffic over the service, which obviously requires us to secure it through some form of encryption.
This then leads me to my next question. Some people I've spoken to are telling us to run an IPsec tunnel across between the two FortiGate appliances we have at either end, some are telling us to look at MACsec to offload the traffic from the L3 side of things onto L2.
How new is the MACsec implementation on the CRS326? What performance benefits or detriments are we likely to see from using MACsec as opposed to IPsec tunnels? The only reason I'm considering it is because it reduces the IP overhead and reduces the workload on the FortiGate appliances.
Regards, Christopher Hawker _______________________________________________ Public mailing list -- public@talk.mikrotik.com.au To unsubscribe send an email to public-leave@talk.mikrotik.com.au
_______________________________________________ Public mailing list -- public@talk.mikrotik.com.au To unsubscribe send an email to public-leave@talk.mikrotik.com.au