Configure the Confidentiality Offset on a Port

Use the following procedure to configure the confidentiality offset on a port. The default is disabled.

About this task

The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header are not encrypted.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure confidentiality offset on the port using one of the following commands:
    • To enable confidentiality-offset, use macsec confidentiality-offset <30–50>
    • To disable confidentiality-offset, use no macsec confidentiality-offset

Example

Configuring the confidentiality offset on the port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#macsec confidentiality-offset 30

Variable Definitions

The following table defines parameters for the macsec confidentiality-offset command.

Variable

Value

<30–50>

Specifies the bytes after the Ethernet header from which data encryption begins. Valid values are 30 and 50.

The following table defines parameters for the interface gigabitethernet command.

Variable

Value

{slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Specifies the port that you want to associate with the connectivity association (CA).

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.