"If you are looking to aggregate a whole bunch of traffic across a metro Ethernet network on a very high speed link, that's where Layer 2 really shines," said Scott Fanning, senior engineering manager for IOS security at Cisco Systems. "If you are looking at IPSec, you're looking at a much more granular policy, per device or per user policy. You pick the use case appropriately--they're complementary, certainly not competing technologies."
Because it operates below the network layer, Layer 2 encryption is protocol agnostic and is very attractive for high-speed data transmission between data centers. It simply "encrypts everything" and sharply reduces the overhead required by IPSec by as much as 40 percent of available bandwidth. "We encrypt everything that goes across out links; it's just easier to say, if it goes out of our premise, it's encrypted," said the network manager for a regional health care provider, who encrypts traffic largely to meet HIPAA and Medicare requirements.
However, as the provider moved up to gigabit traffic transmission, traffic increased dramatically as users took advantage of the increased capability. VoIP, in particular, has grown from one percent to 10 percent of bandwidth use, but accounts for a quarter of the packet total, placing a heavy burden on processing. "We saw CPU utilization on our routers that were doing encryption jump up dramatically," he said of the VoIP demands. He implemented Layer 2 encryption using SafeNet encryptors, which addressed the performance and latency issues and offloaded encryption from his routers. The company uses Layer 3 encryption for lower bandwidth environments, as well as data transmission to other companies that may not be in a position to support Layer 2.
Layer 2 encryption is a "hop-by-hop" technology, rather than an end-to-end approach used by IPSec. This can be a limiting factor, but also allows organizations that want to inspect traffic to look at network telemetry information provided by Netflow, for example, between points, because the traffic is in the clear within the device. The encryption devices on the end of each "hop" must not only support Layer 2 but must be directly connected or appear to be directly connected. For example, a Layer 2 transmission could take place across an MPLS network, which would make the intervening network transparent to the encryption devices.