Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

offset (MX Series)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 15.1 for MX240, MX480, and MX960 routers.

Description

Specifies the number of octets in an Ethernet frame that are sent in unencrypted plain-text when encryption is enabled for MACsec.

Setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the remaining traffic. Setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the remaining traffic.

You would typically forward traffic with the first 30 or 50 octets unencrypted if a feature needed to see the data in the octets to perform a function, but you otherwise prefer to encrypt the remaining data in the frames traversing the link. Load balancing features, in particular, typically need to see the IP and TCP/UDP headers in the first 30 or 50 octets to properly load balance traffic.

You configure the offset in the [edit security macsec connectivity-association connectivity-association-name] hierarchy when you are enabling MACsec using static connectivity association key (CAK) or dynamic security mode.

You configure the offset in the [edit security macsec connectivity-association connectivity-association-name secure-channelsecure-channel-name] hierarchy when you are enabling MACsec using static secure association key (SAK) security mode.

Default

0

Options

0Specifies that no octets are unencrypted. When you set the offset to 0, all traffic on the interface where the connectivity association or secure channel is applied is encrypted.
30Specifies that the first 30 octets of each Ethernet frame are unencrypted.
Note

In IPv4 traffic, setting the offset to 30 allows a feature to see the IPv4 header and the TCP/UDP header while encrypting the rest of the traffic. An offset of 30, therefore, is typically used when a feature needs this information to perform a task on IPv4 traffic.

50Specified that the first 50 octets of each Ethernet frame are unencrypted.
Note

In IPv6 traffic, setting the offset to 50 allows a feature to see the IPv6 header and the TCP/UDP header while encrypting the rest of the traffic. An offset of 50, therefore, is typically used when a feature needs this information to perform a task on IPv6 traffic.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.