Configure the Confidentiality Offset on a Port
Use the following procedure to configure the confidentiality offset on a port. The default is disabled.
About this task
The confidentiality offset provides a way to start encryption after a few bytes following the Ethernet header. The confidentiality offset facilitates traffic flow inspection and classification on intermediate devices by not encrypting the Network Layer header for IPv4 or IPv6. For instance, if you configure the offset to 30, the IPv4 header and the TCP/UDP header are not encrypted. If you configure the offset to 50, the IPv6 header and the TCP/UDP header are not encrypted.
Note
On a MACsec-enabled port with confidentiality offset configured to 50 on the 5420 Series, all packets less than 67 bytes drop and discarded packets increment.
As a best practice, do not configure the confidentiality offset to 50 on the 5420 Series.
Note
On a MACsec-enabled port with data encryption enabled and confidentiality offset configured to 30 or 50 on the 5420 Series, InOctetsValidated counter also increments in addition to InOctetsDecrypted counters in Macsec secure channel Inbound statistics.
Procedure
Example
Configuring the confidentiality offset on the port:
Switch:1>enable Switch:1#configure terminal Switch:1(config)#interface gigabit 1/2 Switch:1(config-if)#macsec confidentiality-offset 30
Variable Definitions
The following table defines parameters for the macsec confidentiality-offset command.
Variable |
Value |
---|---|
<30–50> |
Specifies the bytes after the Ethernet header from which data encryption begins. Valid values are 30 and 50. |
The following table defines parameters for the interface gigabitethernet command.
Variable |
Value |
---|---|
{slot/port[/sub-port][-slot/port[/sub-port]][,...]} |
Specifies the port that you want to associate with the connectivity association (CA). Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port. |