Easy Virtual Networks (Evns) - Cisco Catalyst 6500-E Series Manual

Figure 14.
This example of video surveillance traffic is one of the many use cases where MACsec encryption plays a vital role
in the backbone of the unified access campus architecture. If this were a medical organization, financial institution,
government agency, or any other organization whose data is highly confidential, then encrypting the traffic
traversing the public space becomes critical to maintaining compliance with government regulations concerning
data integrity.
In some cases an organization's footprint is such that it has geographically separated locations separated by an
ISP network, and yet the need for data integrity and security is the same as if the locations were on the same
physical campus. For these cases, the Cisco Catalyst 6500-E with Supervisor Engine 2T offers the ability to pass
802.1AE MACsec encrypted traffic across a provider's Multiprotocol Label Switching (MPLS) backbone, as seen in
Figure 15.
Figure 15.
Figure 14 is the same use case as Figure 13, except now the encrypted traffic is being passed across an ISP's
MPLS backbone instead of between buildings at the same physical site. This effectively extends the backbone of
the unified access campus architecture to the entire enterprise even when that enterprise is composed of
geographically disparate locations. The ability to pass encrypted traffic across an MPLS backbone gives the
network administrator the confidence to be able to extend the same policies and capabilities to remote site users
as exist for local site users while remaining assured that data security is maintained.

Easy Virtual Networks (EVNs)

The logical separation of forwarding instances (or segmentation) over a single physical infrastructure is a primary
concept when considering network security. The addition of personally owned devices into the enterprise campus
environment means that organizations that previously never had to deal with this issue will suddenly find
themselves needing to implement segmentation to make sure security or compliance guidelines are followed.
Organizations most commonly use VLANs, Multiprotocol Label Switching with virtual private networks (MPLS
VPNs), and/or Virtual Route Forwarding Lite (VRF-Lite) to achieve network segmentation. The Cisco Catalyst
6500-E with Supervisor Engine 2T supports all of these methods with a very rich feature set to support each.
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
MACsec Encryption in the Campus
MACsec Encryption Across an MPLS Backbone
Page 15 of 28