802.1AE is a completed standard and will be appearing soon in hardware.
Organizations have the option of encrypting frames that traverse the wire, but in theory, there are few reasons not to encrypt. We say “in theory” because of the potential performance impact encryption has on switch capacity and delay.
The default encryption algorithm, AES-GCM, will require a hardware upgrade in network infrastructure and host network interface cards. 802.1AE implementations must conform to performance characteristics defined in the standard.
The downside is that any products that transparently process network traffic, like load balancers, traffic shapers, and network analyzers, will be blind to 802.1AE-protected traffic.
802.1X-REV builds on 802.1X to support features like authentication of multiple devices on a single switch port and key distribution for 802.1AE devices. Rather than manually creating and installing keys in network devices, 802.1X-REV makes key management part of the protocol in a fashion similar to 802.11i or WPA/WPA2.
Many organizations’ physical wiring has one physical LAN port per desk or cubicle, and 802.1X on a wired network was originally designed to be deployed on a one-host-per-port basis. However, it’s now common for sites to have multiple hosts per port. For example, voice-over-IP phones have their own LAN port to plug into a desktop or laptop, which means two network devices per port. Recognizing this is a problem, switch vendors provide workarounds such as allowing one unauthenticated device to be placed on a specific virtual LAN, but a subsequent device has to authenticate before getting access to the network. Cisco allows its Cisco Discover Protocol to pass through an 802.1X port, which allows discovered devices to access a designated VLAN. Switches such as the HP ProCurve allow multiple hosts to authenticate, and the switch creates virtual ports based on a device’s MAC address and authentication state. If a workstation is connected to a VoIP phone and was properly authenticated, someone could simply clone the workstation’s MAC address and connect to the network through that VoIP phone.
If your company is in the planning stages of a switch upgrade, it might be a good idea to put off deploying the access layer until your chosen vendor supports 802.1AE and 802.1X-REV. Like all encryption technologies, 802.1AE will have an impact on network design.
Switches can send duplicate frames to a mirror port on a switch so that packet analyzers and intrusion-detection systems can process the frames, but that is not a perfect solution. For example, a full-duplex 1-Gbps link is capable of sending and receiving 1 Gbps simultaneously, for a total capacity of 2 Gbps.
http://www.informationweek.com/news/infrastructure/ethernet/showArticle.jhtml?articleID=210605169