Configure the Confidentiality Offset on a Port

About this task

The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header are not encrypted.

Note

On a MACsec-enabled port with confidentiality offset configured to 50 on the 5320 Series or 5420 Series, all packets less than 67 bytes drop and discarded packets increment.

As a best practice, do not configure the confidentiality offset to 50 on the 5320 Series or 5420 Series.

On a MACsec-enabled port with data encryption enabled and confidentiality offset configured to 30 or 50 on the 5320 Series 5420 Series, InOctetsValidated counter also increments in addition to InOctetsDecrypted counters in Macsec secure channel Inbound statistics.

1. Enter GigabitEthernet Interface Configuration mode:

   enable

   configure terminal

   interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...][slot/all][all]}

   

   Note

   If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

2. Configure confidentiality offset on the port using one of the following commands:
   • To enable confidentiality-offset, use macsec confidentiality-offset <30–50>
   • To disable confidentiality-offset, use no macsec confidentiality-offset

Example

Configuring the confidentiality offset on the port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#macsec confidentiality-offset 30