That said, if you could protect traffic on the wire with no hit to performance, would you do so?
You'll be answering that question in the next few years as two new network security protocols come to a switch near you. Together, these two protocols--IEEE 802.1AE-2006, Media Access Control Security, known as MACsec; and an update to 802.1X called 802.1X-REV--will help secure Layer 2 traffic on the wire. 802.1AE is a completed standard and will be appearing soon in hardware. 802.1X-REV could be ratified as early as the first quarter of next year.
Cisco's December 2007 announcement of its network-wide security program, dubbed TrustSec, brought the 802.1AE protocol into the limelight. 802.1AE ensures the integrity and privacy of data between peers at Layer 2. The enhancements in 802.1X-REV automate the authentication and key management requirements for 802.1AE.
802.1AE protects data in transit on a hop-by-hop basis (see diagram, "Security In Short Hops", below), ensuring that the frames are not altered between Layer 2 devices such as switches, routers, and hosts. Organizations have the option of encrypting frames that traverse the wire, but in theory, there are few reasons not to encrypt. We say "in theory" because of the potential performance impact encryption has on switch capacity and delay.
The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards. 802.1AE implementations must conform to performance characteristics defined in the standard. 802.1AE doesn't specify hard times--rather, the maximum delay of 802.1AE processing is relative based on the time it takes to spit the bits onto the wire. On a 100-Mbps network, that's less than a millisecond for a 1,500-byte frame. Cumulatively, the impact should be negligible.
The downside is that any products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.
802.1AE isn't a replacement for Layer 3 VPNs, such as IPsec or PPTP. 802.1AE ensures that frames are protected from eavesdropping and manipulation at Layer 2 between peers. All traffic passing between two switches is protected using the same security parameters.