Wired Intelligent Edge

We are working through a POC to get MACSEC working in a hub and spoke fashion through intermediary switches. 
The top switches are 6200M, the bottom switch is a 6300M (Farlouche). 

The top 2 switches represent the head end switches at schools whereas the 6300M is the "core" or head office. 

In this scenario, the Ruckus switch is a 7250 (which does not support macsec). 

In production, the ruckus switch will be a large managed fiber network by a third party (containing Juniper, Cisco and other switches).
The idea is the packets coming from the school would be encapsulated with MACSEC protecting them for the rest of that large fiber network. 

Is something like this possible? Do we need to look at WAN MACSEC....

The alternative here is a firewall at every school where it builds IPSEC tunnels back to the "head office core", which we are trying to avoid as that means Aruba loses the POC. 

Yes, MACsec is a point-to-point technology, it's protecting the 'layer 2 link'. And with WAN MACsec, you can traverse switches that are not MACsec capable/aware.

Check this video on WAN MACsec with AOS-CX.

We are working through a POC to get MACSEC working in a hub and spoke fashion through intermediary switches. 
The top switches are 6200M, the bottom switch is a 6300M (Farlouche). 

The top 2 switches represent the head end switches at schools whereas the 6300M is the "core" or head office. 

In this scenario, the Ruckus switch is a 7250 (which does not support macsec). 

In production, the ruckus switch will be a large managed fiber network by a third party (containing Juniper, Cisco and other switches).
The idea is the packets coming from the school would be encapsulated with MACSEC protecting them for the rest of that large fiber network. 

Is something like this possible? Do we need to look at WAN MACSEC....

The alternative here is a firewall at every school where it builds IPSEC tunnels back to the "head office core", which we are trying to avoid as that means Aruba loses the POC. 

What about the following. Seems to be supported on certain models of 6300M and 6400. 

clear tag mode

clear tag mode {dot1q | none}

no clear tag mode {dot1q | none}

Description

Configures the part of the Ethernet payload in a MACsec protected frame that must precede the Security TAG (SecTAG) header in clear text.

The dot1q mode allows the 802.1q tag of a MACsec protected frame to be sent in clear text and placed before the MACsec SecTAG header. This enables the establishment of a MACsec tunnel between two MACsec endpoints over a non-MACsec Layer 2 network.

The no form of the command will configure the device to place the SecTAG header immediately after the destination and source MAC addresses.

Yes, MACsec is a point-to-point technology, it's protecting the 'layer 2 link'. And with WAN MACsec, you can traverse switches that are not MACsec capable/aware.

Check this video on WAN MACsec with AOS-CX.

We are working through a POC to get MACSEC working in a hub and spoke fashion through intermediary switches. 
The top switches are 6200M, the bottom switch is a 6300M (Farlouche). 

The top 2 switches represent the head end switches at schools whereas the 6300M is the "core" or head office. 

In this scenario, the Ruckus switch is a 7250 (which does not support macsec). 

In production, the ruckus switch will be a large managed fiber network by a third party (containing Juniper, Cisco and other switches).
The idea is the packets coming from the school would be encapsulated with MACSEC protecting them for the rest of that large fiber network. 

Is something like this possible? Do we need to look at WAN MACSEC....

The alternative here is a firewall at every school where it builds IPSEC tunnels back to the "head office core", which we are trying to avoid as that means Aruba loses the POC.