Configure the Confidentiality Offset on a Port

Use the following procedure to configure the confidentiality offset on a port. The default is disabled.

About this task

The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header are not encrypted.

Note

Note

On a MACsec-enabled port with confidentiality offset configured to 50 on the 5420 Series, all packets less than 67 bytes drop and discarded packets increment.

As a best practice, do not configure the confidentiality offset to 50 on the 5420 Series.

Note

Note

On a MACsec-enabled port with data encryption enabled and confidentiality offset configured to 30 or 50 on the 5420 Series, InOctetsValidated counter also increments in addition to InOctetsDecrypted counters in Macsec secure channel Inbound statistics.

Procedure

  1. Enter GigabitEthernet Interface Configuration mode:

    enable

    configure terminal

    interface GigabitEthernet {slot/port[/sub-port][-slot/port[/sub-port]][,...]}

    Note

    Note

    If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

  2. Configure confidentiality offset on the port:

    macsec confidentiality-offset <30–50>

  3. Disable the confidentiality offset on the port:

    no macsec confidentiality-offset

Example

Configuring the confidentiality offset on the port:

Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#interface gigabit 1/2
Switch:1(config-if)#macsec confidentiality-offset 30

Variable Definitions

The following table defines parameters for the macsec confidentiality-offset command.

Variable

Value

<30–50>

Specifies the bytes after the Ethernet header from which data encryption begins. Valid values are 30 and 50.

The following table defines parameters for the interface gigabitethernet command.

Variable

Value

{slot/port[/sub-port][-slot/port[/sub-port]][,...]}

Specifies the port that you want to associate with the connectivity association (CA).

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.