MACsec to edge hosts

Are any of you pushing MACsec (802.1AE) out from your switches to the edge hosts? Vs. just running it on the network cross-connect fabric?

We have a scenario where, if we could MACsec encrypt those (switch <-> host) links, we could eliminate a lot of application level TLS. But searching for a list of PHYs that support this turned up a very thin set of chips, with most of them being several years old now.

Are people even using MACsec in anything other than an "encrypt cross connects between the cages" context? I would be very interested in chatting with anyone who has tried pushing this out from their switches to the connected hosts.


The host has to support it... I've only seen the cisco anyconnect client add such support to the host