i well familiar with macsec. we use it between datacenters and for aws directlink. it de-facto standard for this kind of stuff. i even worked on hardware that provided macsec support

a couple of years ago I tried to use it inside datacenter during fedramp implementation. it crashed and burned for a couple of reasons:

- linux wpa_supplicant was crashing during session establishment

- switch had a limit on number of macsec session per port