In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.