macsec confidentiality-offset

Use macsec confidentiality-offset to set the MACsec confidentiality offset on a port.

Use undo macsec confidentiality-offset to restore the default.


macsec confidentiality-offset offset-value

undo macsec confidentiality-offset


The MACsec confidentiality offset on the port is 0. The entire frame is encrypted.


Ethernet interface view

Predefined user roles




offset-value: Specifies the confidentiality offset in bytes. The value can be 0, 30 or 50.

Usage guidelines

The MACsec confidentiality offset specifies the number of bytes starting from the frame header. MACsec encrypts only the bytes after the offset in a frame.

If you execute this command on a port to which an MKA policy has been applied, the configuration overwrites the confidentiality offset in the MKA policy. The MKA policy application is removed from the port. However, other settings (settings for parameters except the confidentiality offset) of the MKA policy are effective on the port.

MACsec uses the MACsec confidentiality offset propagated by the key server.


# Set the MACsec confidentiality offset to 30 bytes on Ten-GigabitEthernet 4/1/1.

<Sysname> system-view
[Sysname] interface ten-gigabitethernet 4/1/1
[Sysname-Ten-GigabitEthernet4/1/1] macsec confidentiality-offset 30

Related commands


display macsec

display mka session

mka apply policy