• TunnelSec
  Arista’s TunnelSec technology addresses each of these encryption use-cases by providing line-rate hardware based 10G to 400G encryption, embedded within the R3 series routing platforms with support for IPsec, MACsec and an innovative new VXLANsec solution.

1. MACsec
   MACsec is performed at the interface (MAC layer) level on the platform, where security keys are exchanged with the neighboring node of the link, resulting in all data beyond the initial Ethernet header being fully encrypted between the two nodes. This makes MACsec a suitable solution for high-speed point-to-point connections, or for end-to-end encryption when all nodes in the path are MACsec aware.

2. MACsec frame format
   

3. MACsec for Point-to-Point encryption in the Campus and the Data Center
   
   由此可见：Arista支持E2E MACSec，即至少到AP，是否支持对接终端未知。

• IPSec
  IPSec also offers the additional benefit over MACsec by natively supporting both point-to-point and point-to-multipoint encryption topologies.
  即IPSec可以跑在MACSec之上，先做IPSec封装，再做MACSec封装。

1. IPsec frame format and IPsec key-exchange
   
2. IPsec for Point-to-Point and Point-to-Multipoint encryption across an IP backbone
   
   常用于分支间加密隧道

• VXLANsec
  Addressing the demands for high performance 100G and 400G encryption of VXLAN traffic when interconnecting EVPN-VXLAN domains within a colo or across sites as part of a Data Center Interconnect (DCI) solution, TunnelSec platforms also provide embedded support for Arista’s innovative VXLANsec encryption technology.

1. VXLANsec frame format, key-exchange and BGP-EVPN peering
   
   相当于VxLAN over IPSEcc
2. VXLANsec, for encrypted EVPN multi-domain and Data Center Interconnect (DCI)
   VxLAN DCI互联口场景
   

数据来源