offset (MX Series)
Syntax
offset (0 |30 | 50);
Hierarchy Level
[edit security macsec connectivity-association connectivity-association-name], [edit security macsec connectivity-association connectivity-association-name secure-channel secure-channel-name]
Description
Specifies the number of octets in an Ethernet frame that are sent in unencrypted plain-text when encryption is enabled for MACsec.
Setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the remaining traffic. Setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the remaining traffic.
You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.
You configure the offset in the [edit security macsec connectivity-association connectivity-association-name] hierarchy when you are enabling MACsec
using static connectivity association key (CAK) or dynamic security mode.
You configure the offset in the [edit security macsec connectivity-association connectivity-association-name secure-channelsecure-channel-name] hierarchy when you are enabling MACsec using static secure association key
(SAK) security mode.
Default
0
Options
| 0 | Specifies that no octets are unencrypted. When you set the offset to 0, all traffic on the interface where the connectivity association or secure channel is applied is encrypted. |
| 30 | Specifies that the first 30 octets of each Ethernet frame are unencrypted. Note:
In IPv4 traffic, setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the rest of the traffic. An offset of 30, therefore, is typically used when a feature needs this information to perform a task on IPv4 traffic. |
| 50 | Specified that the first 50 octets of each Ethernet frame are unencrypted. Note:
In IPv6 traffic, setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the rest of the traffic. An offset of 50, therefore, is typically used when a feature needs this information to perform a task on IPv6 traffic. |
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1.