Network Group Encryption Helper
This chapter describes the network group encryption (NGE) helper.
Topics in this chapter include:
Applicability
The information and configuration in this chapter are based on SR OS Release 23.3.R1. Network group encryption (NGE) helpers require use of the VSR-a or the VSR-I and can be deployed with 7750 SR and 7950 XRS.
Overview
The NGE helper enables NGE security for services configured on the 7750 SR or 7950 XRS (hereafter referred to as the router) that require additional confidentiality and integrity.
Multiple NGE helpers can be deployed with a router depending on the encrypted services throughput requirements required by the operator. General architecture using an NGE helper shows the general architecture using an NGE helper.
Each NGE helper is connected to the router using an access interface and a network interface, where both interfaces are configured on the NGE helper and on the router. A hybrid port can be used on the router and NGE helper to optimize the deployment, so one physical port is required on the router and NGE helper.
SAPs are configured on the router using an Epipe directed toward the NGE helper access interface. Unencrypted traffic that is received on the SAP interface is sent through the Epipe to the NGE helper which encrypts the traffic before sending it toward the network. The network interface on the NGE helper is enabled with minimal network control plane functions toward the router. The network control plane of the router performs the majority of network level processing and forwarding of NGE encrypted services.
The NGE helper supports services-based encryption, including:
-
VPRN encryption
-
SDP encryption
-
PW-template encryption
Router interface encryption and port-level encryption are not supported by the NGE helper.
Scenarios for encrypting services
The following main services scenarios are supported:
-
VPRN encryption using auto-bind services for both MPLS (LDP or RSVP-TE signaled tunnels) and GRE transport
This scenario uses BGP to advertise the NGE helper IP address to remote NGE helpers. Remote NGE helpers can then send VPRN traffic to other NGE helpers to be processed for the associated destination SAP. This scenario uses VPRN-level NGE.
-
NG-MVPN with VPRN encryption using MLDP tunnels from the NGE helper to the router
This scenario uses a similar setup to VPRN encryption, with the difference that MLDP tunnels are also established between the NGE helper and the router where the point-to-multipoint tree branches from for the NG-MVPN service. This scenario uses VPRN-level NGE.
-
T-LDP signaled Epipe or VPLS services using LDP or RSVP-TE transport tunnels
T-LDP sessions are established from the NGE helper to the remote PEs to establish Epipe or VPLS services. The transport of these services focuses on LDP or LDP with RSVP-TE. Where GRE is possible, GRE support of VPLS or VPWS mainly uses BGP VPLS or BGP VPWS with auto-GRE SDP, because this use case is prevalent with SAR-Hm/Hmc deployments. This scenario uses SDP-level NGE.
-
L2 services using BGP VPLS or BGP VPWS auto-GRE SDP
This scenario is similar to the VPRN auto-bind scenario, except that a BGP session is used to advertise L2 routes to and from the NGE helper where remote PEs can send GRE L2 packets encrypted with the associated NGE configuration under the pw-template context.
Configuration
NGE configuration
NGE configuration is managed by the Network Services Platform Network Functions Manager - Packet (NSP NFM-P). Operators use the NSP NFM-P to configure:
-
global encryption labels
-
key groups
-
VPRN-level encryption – setting the inbound and outbound key groups on VPRN-based services, as shown in the VPRN or NG-MVPN using MP-BGP section
-
SDP-level encryption – setting the inbound and outbound key groups on selected SDPs
-
PW-template level encryption – setting the inbound and outbound key groups on selected PW templates
Group encryption configuration
In this example, the following two encryption keygroups are configured manually on NGE-1:
# on NGE-1:
configure
group-encryption
group-encryption-label 100
encryption-keygroup 1 create
keygroup-name "KG1"
security-association spi 1 authentication-key 0x1111111100000000
111111110000000011111111000000001111111100000000 encryption-key
0x11111111000000001111111100000000
security-association spi 2 authentication-key 0x2222222200000000
222222220000000022222222000000002222222200000000 encryption-key
0x22222222000000002222222200000000
security-association spi 3 authentication-key 0x3333333300000000
333333330000000033333333000000003333333300000000 encryption-key
0x33333333000000003333333300000000
security-association spi 4 authentication-key 0x4444444400000000
444444440000000044444444000000004444444400000000 encryption-key
0x44444444000000004444444400000000
active-outbound-sa 1
exit
encryption-keygroup 2 create
keygroup-name "KG2"
security-association spi 5 authentication-key 0x5555555500000000
555555550000000055555555000000005555555500000000 encryption-key
0x55555555000000005555555500000000
security-association spi 6 authentication-key 0x6666666600000000
666666660000000066666666000000006666666600000000 encryption-key
0x66666666000000006666666600000000
security-association spi 7 authentication-key 0x7777777700000000
777777770000000077777777000000007777777700000000 encryption-key
0x77777777000000007777777700000000
security-association spi 8 authentication-key 0x8888888800000000
888888880000000088888888000000008888888800000000 encryption-key
0x88888888000000008888888800000000
active-outbound-sa 5
exit
In this example, the authentication key and the encryption key are entered as cleartext. After configuration, they are never displayed in their cleartext form. The security parameter index (SPI) value in the security association is a node-wide unique value.
SDP configuration
On NGE-1, LDP SDP 1 is configured with encryption keygroup 1 and RSVP SDP 3 is configured with encryption keygroup 2:
# on NGE-1:
configure
service
sdp 1 mpls create
description "LDP SDP with NGE"
far-end 192.0.2.5
ldp
keep-alive
shutdown
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
no shutdown
exit
sdp 3 mpls create
description "RSVP SDP with NGE"
far-end 192.0.2.5
lsp "LSP-NGE-1-NGE-2"
keep-alive
shutdown
exit
encryption-keygroup 2 direction inbound
encryption-keygroup 2 direction outbound
no shutdown
exit
PW-template configuration
On NGE-1, PW template 2 is configured with encryption keygroup 1:
# on NGE-1:
configure
service
pw-template 2 name "2" auto-gre-sdp create
description "PW template with NGE"
vc-type vlan
split-horizon-group "SHG"
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
exit
BGP configuration
BGP must be enabled on the router and the NGE helper for the following services:
-
BGP VPWS with auto-GRE SDP (where NGE is configured under the pw-template context)
-
BGP VPLS with auto-GRE SDP (where NGE is configured under the pw-template context)
-
MP-BGP VPRN with auto-bind LDP or RSVP-TE (where NGE is configured under the vprn context)
-
NG-MVPN with MLDP tunnels (where NGE is configured under the vprn context)
BGP topology for learning BGP label routes shows the BGP topology for learning BGP label routes for these services.
The following configures BGP on PE-1 to support the NGE 1 helper function:
# on PE-1:
configure
router Base
bgp
rapid-withdrawal
group "core-RR"
family vpn-ipv4 l2-vpn mvpn-ipv4
peer-as 64496
neighbor 192.0.2.3 # RR
exit
exit
group "PE-1-NGE-1-RR"
family vpn-ipv4 l2-vpn mvpn-ipv4
cluster 192.0.2.1
peer-as 64496
neighbor 192.0.2.4 # NGE-1
exit
exit
no shutdown
exit
The following configures BGP on PE-2 to support the NGE 2 helper function:
# on PE-2:
configure
router Base
bgp
rapid-withdrawal
group "core-RR"
family vpn-ipv4 l2-vpn mvpn-ipv4
peer-as 64496
neighbor 192.0.2.3 # RR
exit
exit
group "PE-2-NGE-2-RR"
family vpn-ipv4 l2-vpn mvpn-ipv4
cluster 192.0.2.2
peer-as 64496
neighbor 192.0.2.5 # NGE-2
exit
exit
no shutdown
exit
The BGP configuration on the NGE-1 helper is as follows:
# on NGE-1:
configure
router Base
bgp
rapid-withdrawal
group "RR-PE-1"
family vpn-ipv4 l2-vpn mvpn-ipv4
peer-as 64496
neighbor 192.0.2.1 # PE-1
exit
exit
no shutdown
exit
The BGP configuration on the NGE-2 helper is as follows:
# on NGE-2:
configure
router Base
bgp
rapid-withdrawal
group "RR-PE-2"
family vpn-ipv4 l2-vpn mvpn-ipv4
peer-as 64496
neighbor 192.0.2.2 # PE-2
exit
exit
no shutdown
exit
Operators can enable PE-CE control plane functionality such as EBGP from the NGE helper to learn routes from the CE and advertise them within the VPRN. The optional configuration required for PE-CE functionality is included in this chapter.
Services configuration
VPRN or NG-MVPN using MP-BGP
For these services, NGE is configured under the vprn context.
Operation of NGE helper for MP-BGP auto-bind VPRN or NG-MVPN multicast shows the operation of the NGE helper for MP-BGP auto-bind VPRN-based services or NG-MVPN multicast services.
VPRN SAPs are typically configured on the router; however, in this case the VPRN and VPRN SAP are configured on the NGE helper. On PE-1, a local Epipe is configured that originates from the customer facing SAP1 and terminates on SAP-A1, connected to the access port on the NGE-1 helper. Traffic on this access port is not encrypted. In this example, Epipe 100301 is configured on PE-1 as follows:
# on PE-1:
configure
service
epipe 100301 name "Epipe-100301" customer 1 create
sap lag-1:301 create
description "toward NGE-1 VPRN 301"
no shutdown
exit
sap lag-11:301.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
In the VPRN on the NGE-1 helper, the traffic is encrypted. Traffic on the network port is encrypted.
On PE-1, the following network configurations are required to support encrypted services from the NGE-1 helper:
-
optional RSVP-TE tunnels with fast reroute (FRR) to other remote PEs
-
If RSVP-TE tunnels are configured, then T-LDP sessions with tunneling enabled must also be configured to these same PEs. These sessions allow LDP packets from the NGE helper to use LDP to hop onto RSVP-TE tunnels.
-
-
optional LDP, including MLDP, tunnels on core network interfaces for unicast and multicast traffic to other PEs
-
BGP sessions for the VPN-IPv4 and MVPN-IPv4 address families, as described in the BGP configuration section
-
LDP, including MLDP, is configured on the network interface to the NGE helper
On the NGE-1 helper, configuration is minimal and includes:
-
VPRN SAPN1 where, optionally, PE-CE IGP protocols can be configured to learn routes from CE-1
-
VPRN NG-MVPN for multicast services
-
LDP, including MLDP, on the network interface to PE-1
-
BGP session for the VPN-IPv4 and MVPN-IPv4 address families, as described in the BGP configuration section
-
NGE enabled on the VPRN for encrypting unicast and multicast services
In this example, the configuration of VPRN 301 on NGE-1 is as follows:
# on NGE-1:
configure
service
vprn 301 name "VPRN-301" customer 1 create
description "MP-BGP, NG MVPN, auto-bind LDP, VPRN NGE"
autonomous-system 64501
interface "toCE-1" create
address 172.16.11.2/24
sap lag-1:301 create
exit
exit
bgp-ipvpn
mpls
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
route-distinguisher 301:1
vrf-target target:301:1
no shutdown
exit
exit
bgp
group "CE"
export "exportBGP"
neighbor 172.16.11.1
family ipv4
type external
peer-as 64502
exit
exit
no shutdown
exit
pim
interface "toCE-1"
exit
rp
static
exit
bsr-candidate
shutdown
exit
rp-candidate
shutdown
exit
exit
no shutdown
exit
mvpn
auto-discovery default # default auto-discovery via BGP
c-mcast-signaling bgp
provider-tunnel
inclusive
mldp
no shutdown
exit
exit
exit
vrf-target unicast
exit
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
no shutdown
exit
T-LDP signaled Epipe or VPLS services
For these services, NGE is configured under the sdp context. On NGE-1, LDP SDP 1 is configured with encryption keygroup 1 and RSVP SDP 3 is configured with encryption keygroup 2, as follows:
# on NGE-1:
configure
service
sdp 1 mpls create
description "LDP SDP with NGE"
far-end 192.0.2.5
ldp
keep-alive
shutdown
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
no shutdown
exit
sdp 3 mpls create
description "RSVP SDP with NGE"
far-end 192.0.2.5
lsp "LSP-NGE-1-NGE-2"
keep-alive
shutdown
exit
encryption-keygroup 2 direction inbound
encryption-keygroup 2 direction outbound
no shutdown
exit
NGE helper for T-LDP signaled Epipe or VPLS services shows the operation of the NGE helper for T-LDP signaled Epipe or VPLS services.
Similar to the VPRN scenario, the service SAPN1 of the Epipe or VPLS is configured on the NGE helper. On PE-1, a local Epipe is configured that is originating from the customer facing SAP1 and terminating on SAP-A1 connected to the NGE-1 helper on the access port where SAPN1 is configured. For example, Epipe 100401 toward Epipe 101 on NGE-1 is configured as follows. Similar Epipes are configured toward other services on NGE-1, such as VPLS 501 and VPLS 601.
# on PE-1:
configure
service
epipe 100401 name "Epipe-100401" customer 1 create
sap lag-1:401 create
description "toward NGE-1 Epipe 401"
no shutdown
exit
sap lag-11:401.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
On PE-1, the following network configurations are required to support encrypted services from the NGE-1 helper:
-
optional RSVP-TE tunnels with FRR to other remote PEs
-
If RSVP-TE tunnels are configured, then T-LDP sessions with tunneling enabled are also configured to these same PEs. These sessions allow LDP packets from the NGE-1 helper to use LDP to hop onto RSVP-TE tunnels.
-
-
optional LDP tunnels if RSVP-TE tunnels are not used
-
LDP on each network interface to the NGE-1 helper
On the NGE-1 helper, the configuration is minimal and includes:
-
Epipe or VPLS SAPN1 configured on the NGE helper
-
T-LDP configured from the NGE helper to each remote PE that needs to participate in the Epipe or VPLS service
-
SDPs configured on the NGE helper toward each PE that is participating in the Epipe or VPLS service
-
LDP configured on the network interface
-
NGE enabled on the SDPs for encrypting the Epipe or VPLS services using the SDPs
Epipe 401 is configured with LDP SDP 1, which uses encryption keygroup 1:
# on NGE-1:
configure
service
epipe 401 name "Epipe-401" customer 1 create
description "Epipe, LDP SDP, SDP NGE"
sap lag-1:401 create
no shutdown
exit
spoke-sdp 1:401 create
no shutdown
exit
no shutdown
exit
Likewise, VPLS 501 is configured with LDP SDP 1, which uses encryption keygroup 1:
# on NGE-1:
configure
service
vpls 501 name "VPLS-501" customer 1 create
description "VPLS, LDP SDP, SDP NGE"
sap lag-1:501 create
no shutdown
exit
spoke-sdp 1:501 create
no shutdown
exit
no shutdown
exit
VPLS 601 is configured with RSVP SDP 3, which uses encryption keygroup 2:
# on NGE-1:
configure
service
vpls 601 name "VPLS-601" customer 1 create
description "VPLS, RSVP SDP, SDP NGE"
sap lag-1:601 create
no shutdown
exit
mesh-sdp 3:601 create
no shutdown
exit
no shutdown
exit
BGP VPLS or BGP VPWS with auto-GRE SDP
For these services, NGE is configured under the pw-template context, as in the following example:
# on NGE-1:
configure
service
pw-template 2 name "2" auto-gre-sdp create
description "PW template with NGE"
vc-type vlan
split-horizon-group "SHG"
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
exit
NGE helper for BGP VPLS or BGP VPWS using GRE SDPs with auto-GRE SDP shows the operation of the NGE helper for BGP VPLS and BGP VPWS services that use GRE SDPs when auto-GRE SDP is configured on the associated PW template.
Similar to the VPRN scenario, the VPLS or VPWS SAPN1 is configured on the NGE-1 helper. On PE-1, a local Epipe is configured that originates from the customer facing SAP1 and terminates on SAP-A1 connected to the NGE-1 helper. The configuration is similar to the preceding configuration of Epipe 100401 on PE-1.
On PE-1, the following network configurations are required to support encrypted services from the NGE-1 helper:
-
any routing options that allow GRE packets received from the NGE helper to be routed to remote PEs
-
BGP sessions for the L2-VPN address family, as described in the BGP configuration section
On the NGE-1 helper, the configuration includes:
-
VPLS or VPWS SAPN1
-
BGP session to PE-1 for the L2-VPN address family
-
BGP VPLS or BGP VPWS using PW templates with auto-GRE SDP enabled
-
NGE enabled on the PW templates for encrypting the VPLS or VPWS services using the PW templates
On NGE-1, Epipe 101 is a BGP VPWS with auto-GRE SDP. PW template 2 is configured with encryption keygroup 1. Epipe 101 is configured as follows:
# on NGE-1:
configure
service
epipe 101 name "Epipe-101" customer 1 create
description "BGP VPWS auto-gre SDP_PW template 2"
bgp
route-distinguisher 101:1
route-target export target:101:1 import target:101:1
pw-template-binding 2
exit
exit
bgp-vpws
ve-name "pe-1"
ve-id 1
exit
remote-ve-name "pe-2"
ve-id 2
exit
no shutdown
exit
sap lag-1:101 create
exit
no shutdown
exit
In a similar way, VPLS 201 is a BGP VPLS with auto-GRE SDP. PW template 2 is configured with encryption keygroup 1. VPLS 201 is configured as follows:
# on NGE-1:
configure
service
vpls 201 name "VPLS-201" customer 1 create
description "BGP VPLS auto-gre SDP_PW template 2"
bgp
route-distinguisher 201:1
route-target export target:201:1 import target:201:1
pw-template-binding 2
exit
exit
bgp-vpls
max-ve-id 10
ve-name "pe-1"
ve-id 1
exit
no shutdown
exit
sap lag-1:201 create
no shutdown
exit
no shutdown
exit
Configuration overview
Configuration on NGE-1 helper
On the NGE-1 helper, the configuration of the control plane and services for all preceding services is as follows:
#--------------------------------------------------
echo "Card Configuration"
#--------------------------------------------------
card 1
card-type iom-v
mda 1
mda-type m20-v
no shutdown
exit
mda 2
mda-type m20-v
no shutdown
exit
mda 3
mda-type m20-v
no shutdown
exit
mda 4
mda-type m20-v
no shutdown
exit
no shutdown
exit
#--------------------------------------------------
echo "Port Configuration"
#--------------------------------------------------
port 1/1/1
ethernet
mode hybrid
encap-type dot1q
exit
no shutdown
exit
port 1/1/2
ethernet
mode hybrid
encap-type dot1q
exit
no shutdown
exit
---snip---
#--------------------------------------------------
echo "LAG Configuration"
#--------------------------------------------------
lag 1
description "LAG to PE-1"
mode hybrid
encap-type dot1q
port 1/1/1
port 1/1/2
lacp active administrative-key 32768
no shutdown
exit
#--------------------------------------------------
echo "Group Encryption Configuration"
#--------------------------------------------------
group-encryption
group-encryption-label 100
encryption-keygroup 1 create
keygroup-name "KG1"
security-association spi 1 authentication-key 0x4669dcf53c34b8138a27
09022ee24a9b342777047ddfa833e43a5ff9917cde901a6f76bc0cc01cb363a3a77
9916aa0b8 encryption-key 0x5e172b1138812340ddcdc604ea3f4214bbf7d564
56cabbab018006d6ac92bc8f crypto
security-association spi 2 authentication-key 0x731da9633f8496f52a5e
f240f674b4122cdea4460a24968f8591e4ba0cc713f272b2eeee6b260cb791eedf4
77f24ad7a encryption-key 0xe7e24975f3168fdaa9f57fcb248d2948cf8154a3
915a004b261f4b4850b38e1e crypto
security-association spi 3 authentication-key 0x6c9ab2e6ff1cfa69daef
d2e2d8107dc96ec5ebf49eb6cb2c75a4f0d7a122e31dd728b9ddc97e4afc31f2c97
1cfacea34 encryption-key 0x70590aacb24913a3f04afa38ecb929fc9c6f32da
d6d4f18e891a883b08d8f806 crypto
security-association spi 4 authentication-key 0x90c67c848bdb9b7ac0c1
2e42390da7ea7de09002e84af569222072f6dd88a6f8e8d461c04cb044fc1d3df69
97090d5a5 encryption-key 0x7cc12d7118409173905478f639d623e689e6f313
7baf91abdcc843725d4d14c6 crypto
active-outbound-sa 1
exit
encryption-keygroup 2 create
keygroup-name "KG2"
security-association spi 5 authentication-key 0xae8e620a56288524d2cd
210b09fad464a3214ce3ce7e79422b385e44cc896acbfb933f7ac73cd2c5fa4a683
a3db75d4d encryption-key 0x97e6dee7ad9ecb03b9e726b1291f9aca88d06200
bb8218fe0bf378f3b682a3a0 crypto
security-association spi 6 authentication-key 0xe62e5f59e416bbf27352
a676dd21b3c7da08a126fb373c8cb7e5ec4f8b95e70f8a99cbd177f2537d4a48a42
44aebf2e8 encryption-key 0x42d4424316861834a9e8a94688521a623b580c7b
730d8c37aa825a0d92e9bb80 crypto
security-association spi 7 authentication-key 0xa4b7d14a16d2e93187c0
0eb8704001aa588e6b56927bd7a9791878da78ca6c8d7bc35d62b8de0f077451874
9b257db96 encryption-key 0x7e315a24e9e1f58abbab02ace4fd9099932416e3
8021c9204866327b580118b0 crypto
security-association spi 8 authentication-key 0x6a1e474cf8bd552cbb28
805e22962ddf1e0e13b478e74be0cabf81c4ea2903a4834d1c64e2aae60e199fac5
a0c21f6fa encryption-key 0xd7082b7c5d7a7a2f7d139f8dcc9a3921422aab10
01acb18346e2c63b3b9db7b8 crypto
active-outbound-sa 5
exit
exit
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router Base
interface "int-NGE-1-PE-1"
address 192.168.14.2/30
port lag-1:1000
no shutdown
exit
interface "system"
address 192.0.2.4/32
no shutdown
exit
autonomous-system 64496
router-id 192.0.2.4
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
ospf 0
asbr
traffic-engineering
timers
lsa-arrival 200
lsa-generate 5000 lsa-initial-wait 200 lsa-second-wait 1000
spf-wait 1000 spf-initial-wait 10 spf-second-wait 500
exit
disable-ldp-sync
area 0.0.0.0
interface "system"
no shutdown
exit
interface "int-NGE-1-PE-1"
interface-type point-to-point
no advertise-subnet
hello-interval 1
dead-interval 4
no shutdown
exit
exit
no shutdown
exit
#--------------------------------------------------
echo "PIM Configuration"
#--------------------------------------------------
pim
interface "system"
exit
interface "int-NGE-1-PE-1"
exit
rp
static
exit
bsr-candidate
shutdown
exit
rp-candidate
shutdown
exit
exit
no shutdown
exit
#--------------------------------------------------
echo "MPLS Configuration"
#--------------------------------------------------
mpls
interface "system"
no shutdown
exit
interface "int-NGE-1-PE-1"
no shutdown
exit
exit
#--------------------------------------------------
echo "RSVP Configuration"
#--------------------------------------------------
rsvp
interface "system"
no shutdown
exit
interface "int-NGE-1-PE-1"
no shutdown
exit
no shutdown
exit
#--------------------------------------------------
echo "MPLS LSP Configuration"
#--------------------------------------------------
mpls
path "path-NGE-1-NGE-2"
no shutdown
exit
lsp "LSP-NGE-1-NGE-2"
to 192.0.2.5
primary "path-NGE-1-NGE-2"
exit
no shutdown
exit
no shutdown
exit
#--------------------------------------------------
echo "LDP Configuration"
#--------------------------------------------------
ldp
import-pmsi-routes
exit
tcp-session-parameters
exit
interface-parameters
interface "int-NGE-1-PE-1" dual-stack
ipv4
no shutdown
exit
no shutdown
exit
exit
targeted-session
peer 192.0.2.5
no shutdown
exit
exit
no shutdown
exit
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
sdp 1 mpls create
description "LDP SDP with NGE"
far-end 192.0.2.5
ldp
keep-alive
shutdown
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
no shutdown
exit
sdp 3 mpls create
description "RSVP SDP with NGE"
far-end 192.0.2.5
lsp "LSP-NGE-1-NGE-2"
keep-alive
shutdown
exit
encryption-keygroup 2 direction inbound
encryption-keygroup 2 direction outbound
no shutdown
exit
customer 1 name "1" create
description "Default customer"
exit
pw-template 2 name "2" auto-gre-sdp create
vc-type vlan
split-horizon-group "SHG"
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
exit
vprn 301 name "VPRN-301" customer 1 create
interface "toCE-1" create
exit
exit
epipe 101 name "Epipe-101" customer 1 create
description "BGP VPWS auto-gre SDP_PW template 2"
bgp
route-distinguisher 101:1
route-target export target:101:1 import target:101:1
pw-template-binding 2
exit
exit
bgp-vpws
ve-name "pe-1"
ve-id 1
exit
remote-ve-name "pe-2"
ve-id 2
exit
no shutdown
exit
sap lag-1:101 create
no shutdown
exit
no shutdown
exit
vpls 201 name "VPLS-201" customer 1 create
description "BGP VPLS auto-gre SDP_PW template 2"
bgp
route-distinguisher 201:1
route-target export target:201:1 import target:201:1
pw-template-binding 2
exit
exit
bgp-vpls
max-ve-id 10
ve-name "pe-1"
ve-id 1
exit
no shutdown
exit
stp
shutdown
exit
sap lag-1:201 create
no shutdown
exit
no shutdown
exit
vprn 301 name "VPRN-301" customer 1 create
description "MP-BGP, NG MVPN, auto-bind LDP, VPRN NGE"
autonomous-system 64501
interface "toCE-1" create
address 172.16.11.2/24
sap lag-1:301 create
exit
exit
bgp-ipvpn
mpls
auto-bind-tunnel
resolution-filter
ldp
exit
resolution filter
exit
route-distinguisher 301:1
vrf-target target:301:1
no shutdown
exit
exit
bgp
group "CE"
export "exportBGP"
neighbor 172.16.11.1
family ipv4
type external
peer-as 64502
exit
exit
no shutdown
exit
pim
interface "toCE-1"
exit
rp
static
exit
bsr-candidate
shutdown
exit
rp-candidate
shutdown
exit
exit
no shutdown
exit
mvpn
auto-discovery default
c-mcast-signaling bgp
provider-tunnel
inclusive
mldp
no shutdown
exit
exit
exit
vrf-target unicast
exit
exit
encryption-keygroup 1 direction inbound
encryption-keygroup 1 direction outbound
no shutdown
exit
epipe 401 name "Epipe-401" customer 1 create
description "Epipe, LDP SDP, SDP NGE"
sap lag-1:401 create
no shutdown
exit
spoke-sdp 1:401 create
no shutdown
exit
no shutdown
exit
vpls 501 name "VPLS-501" customer 1 create
description "VPLS, LDP SDP, SDP NGE"
stp
shutdown
exit
sap lag-1:501 create
no shutdown
exit
spoke-sdp 1:501 create
no shutdown
exit
no shutdown
exit
vpls 601 name "VPLS-601" customer 1 create
description "VPLS, RSVP SDP, SDP NGE"
stp
shutdown
exit
sap lag-1:601 create
no shutdown
exit
mesh-sdp 3:601 create
no shutdown
exit
no shutdown
exit
exit
#--------------------------------------------------
---snip---
#--------------------------------------------------
echo "Policy Configuration"
#--------------------------------------------------
policy-options
begin
policy-statement "exportBGP"
entry 10
from
protocol bgp-vpn
exit
action accept
exit
exit
exit
commit
exit
#--------------------------------------------------
echo "BGP Configuration"
#--------------------------------------------------
bgp
rapid-withdrawal
group "RR-PE-1"
family vpn-ipv4 l2-vpn mvpn-ipv4
peer-as 64496
neighbor 192.0.2.1
exit
exit
no shutdown
exit
exit
#--------------------------------------------------
Configuration on PE-1
The configuration on PE-1 is as follows:
---snip---
#--------------------------------------------------
echo "LAG Configuration"
#--------------------------------------------------
lag 1
description "LAG to NGE-1"
mode hybrid
encap-type dot1q
port 1/1/c1/3
port 1/1/c1/4
lacp passive administrative-key 1
no shutdown
exit
lag 11
description "LAG to CE-1_access"
mode access
encap-type qinq
port 1/1/c2/1
port 1/1/c2/2
lacp passive administrative-key 11
no shutdown
exit
lag 12
description "LAG to core"
mode hybrid
encap-type dot1q
port 1/1/c1/1
port 1/1/c1/2
lacp active administrative-key 12
no shutdown
exit
---snip---
#--------------------------------------------------
echo "Router (Network Side) Configuration"
#--------------------------------------------------
router Base
interface "int-PE-1-NGE-1"
address 192.168.14.1/30
port lag-1:1000
no shutdown
exit
interface "int-PE-1-core"
address 192.168.12.1/30
port lag-12:1000
no shutdown
exit
interface "system"
address 192.0.2.1/32
no shutdown
exit
autonomous-system 64496
router-id 192.0.2.1
#--------------------------------------------------
echo "OSPFv2 Configuration"
#--------------------------------------------------
ospf 0
asbr
traffic-engineering
ldp-over-rsvp # only if LDPoRSVP is used in the core
area 0.0.0.0
interface "system"
no shutdown
exit
interface "int-PE-1-core"
interface-type point-to-point
no advertise-subnet
hello-interval 1
dead-interval 4
authentication-type message-digest
message-digest-key 10 md5 "qBlAjOUBDKLgnvWaw9ifX+l6Nfo=" hash2
no shutdown
exit
interface "int-PE-1-NGE-1"
interface-type point-to-point
no advertise-subnet
hello-interval 1
dead-interval 4
no shutdown
exit
exit
no shutdown
exit
#--------------------------------------------------
echo "PIM Configuration"
#--------------------------------------------------
pim
interface "system"
exit
interface "int-PE-1-core"
exit
interface "int-PE-1-NGE-1"
exit
rp
static
exit
bsr-candidate
shutdown
exit
rp-candidate
shutdown
exit
exit
no shutdown
exit
#--------------------------------------------------
echo "MPLS Configuration"
#--------------------------------------------------
mpls
interface "system"
no shutdown
exit
interface "int-PE-1-core"
no shutdown
exit
interface "int-PE-1-NGE-1"
no shutdown
exit
exit
#--------------------------------------------------
echo "RSVP Configuration"
#--------------------------------------------------
rsvp
interface "system"
no shutdown
exit
interface "int-PE-1-core"
no shutdown
exit
interface "int-PE-1-NGE-1"
no shutdown
exit
no shutdown
exit
#--------------------------------------------------
echo "MPLS LSP Configuration"
#--------------------------------------------------
mpls
path "path-PE-1-PE-2" # only if LDPoRSVP is used in the core
no shutdown
exit
lsp "LSP-PE-1-PE-2" # only if LDPoRSVP is used in the core
to 192.0.2.2
primary "path-PE-1-PE-2"
exit
no shutdown
exit
no shutdown
exit
#--------------------------------------------------
echo "LDP Configuration"
#--------------------------------------------------
ldp
prefer-mcast-tunnel-in-tunnel
import-pmsi-routes
exit
tcp-session-parameters
exit
interface-parameters
interface "int-PE-1-core" dual-stack
ipv4
no shutdown
exit
no shutdown
exit
interface "int-PE-1-NGE-1" dual-stack
ipv4
transport-address system
no shutdown
exit
no shutdown
exit
exit
targeted-session
peer 192.0.2.2 # only if LDPoRSVP is used in the core
tunneling
lsp "LSP-PE-1-PE-2"
exit
no shutdown
exit
exit
no shutdown
exit
exit
#--------------------------------------------------
echo "Service Configuration"
#--------------------------------------------------
service
customer 1 name "1" create
multi-service-site "bras" create
exit
description "Default customer"
exit
epipe 100101 name "Epipe-100101" customer 1 create
sap lag-1:101 create
description "toward NGE-1 Epipe 101"
no shutdown
exit
sap lag-11:101.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
epipe 100201 name "Epipe-100201" customer 1 create
sap lag-1:201 create
description "toward NGE-1 VPLS 201"
no shutdown
exit
sap lag-11:201.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
epipe 100301 name "Epipe-100301" customer 1 create
sap lag-1:301 create
description "toward NGE-1 VPRN 301"
no shutdown
exit
sap lag-11:301.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
epipe 100401 name "Epipe-100401" customer 1 create
sap lag-1:401 create
description "toward NGE-1 Epipe 401"
no shutdown
exit
sap lag-11:401.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
epipe 100501 name "Epipe-100501" customer 1 create
sap lag-1:501 create
description "toward NGE-1 VPLS 501"
no shutdown
exit
sap lag-11:501.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
epipe 100601 name "Epipe-100601" customer 1 create
sap lag-1:601 create
description "toward NGE-1 VPLS 601"
no shutdown
exit
sap lag-11:601.1 create
description "toward CE"
no shutdown
exit
no shutdown
exit
exit
#--------------------------------------------------
---snip---
#--------------------------------------------------
echo "BGP Configuration"
#--------------------------------------------------
bgp
rapid-withdrawal
group "core-RR"
family vpn-ipv4 l2-vpn mvpn-ipv4
peer-as 64496
neighbor 192.0.2.3
exit
exit
group "PE-1-NGE-1-RR"
family vpn-ipv4 l2-vpn mvpn-ipv4
cluster 192.0.2.1
peer-as 64496
neighbor 192.0.2.4
exit
exit
no shutdown
exit
exit
#--------------------------------------------------
---snip---
The Epipes are the connections between the CE and the NGE helper for each service.
Verification
The following base information for the services shows that the services are operationally up, as well as their SAPs and SDP bindings:
*A:NGE-1# show service id 101 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 101 Vpn Id : 0
Service Type : Epipe
MACSec enabled : no
Name : Epipe-101
Description : BGP VPWS auto-gre SDP_PW template 2
Customer Id : 1 Creation Origin : manual
Last Status Change: 03/29/2023 07:23:33
Last Mgmt Change : 03/29/2023 07:23:33
Test Service : No
Admin State : Up Oper State : Up
---snip---
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:lag-1:101 q-tag 8936 8936 Up Up
sdp:32767:4294967295 SB(192.0.2.5) BgpVpws 0 8890 Up Up
===============================================================================
*A:NGE-1# show service id 201 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 201 Vpn Id : 0
Service Type : VPLS
MACSec enabled : no
Name : VPLS-201
Description : BGP VPLS auto-gre SDP_PW template 2
Customer Id : 1 Creation Origin : manual
Last Status Change: 03/29/2023 07:21:39
Last Mgmt Change : 03/29/2023 07:23:33
Etree Mode : Disabled
Admin State : Up Oper State : Up
MTU : 1514
SAP Count : 1 SDP Bind Count : 1
---snip---
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:lag-1:201 q-tag 8936 8936 Up Up
sdp:32766:4294967294 SB(192.0.2.5) BgpVpls 0 8890 Up Up
===============================================================================
*A:NGE-1# show service id 301 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 301 Vpn Id : 0
Service Type : VPRN
MACSec enabled : no
Name : VPRN-301
Description : MP-BGP, NG MVPN, auto-bind LDP, VPRN NGE
Customer Id : 1 Creation Origin : manual
Last Status Change: 03/29/2023 07:21:39
Last Mgmt Change : 03/29/2023 07:21:39
Admin State : Up Oper State : Up
---snip---
SAP Count : 1 SDP Bind Count : 0
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:lag-1:301 q-tag 8936 8936 Up Up
===============================================================================
*A:NGE-1# show service id 401 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 401 Vpn Id : 0
Service Type : Epipe
MACSec enabled : no
Name : Epipe-401
Description : Epipe, LDP SDP, SDP NGE
Customer Id : 1 Creation Origin : manual
Last Status Change: 03/29/2023 07:22:05
Last Mgmt Change : 03/29/2023 07:21:39
Test Service : No
Admin State : Up Oper State : Up
MTU : 1514
Vc Switching : False
SAP Count : 1 SDP Bind Count : 1
---snip---
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:lag-1:401 q-tag 8936 8936 Up Up
sdp:1:401 S(192.0.2.5) Spok 0 8910 Up Up
===============================================================================
*A:NGE-1# show service id 501 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 501 Vpn Id : 0
Service Type : VPLS
MACSec enabled : no
Name : VPLS-501
Description : VPLS, LDP SDP, SDP NGE
Customer Id : 1 Creation Origin : manual
Last Status Change: 03/29/2023 07:21:39
Last Mgmt Change : 03/29/2023 07:21:39
Etree Mode : Disabled
Admin State : Up Oper State : Up
MTU : 1514
SAP Count : 1 SDP Bind Count : 1
---snip---
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:lag-1:501 q-tag 8936 8936 Up Up
sdp:1:501 S(192.0.2.5) Spok 0 8910 Up Up
===============================================================================
*A:NGE-1# show service id 601 base
===============================================================================
Service Basic Information
===============================================================================
Service Id : 601 Vpn Id : 0
Service Type : VPLS
MACSec enabled : no
Name : VPLS-601
Description : VPLS, RSVP SDP, SDP NGE
Customer Id : 1 Creation Origin : manual
Last Status Change: 03/29/2023 07:21:39
Last Mgmt Change : 03/29/2023 07:21:39
Etree Mode : Disabled
Admin State : Up Oper State : Up
MTU : 1514
SAP Count : 1 SDP Bind Count : 1
---snip---
-------------------------------------------------------------------------------
Service Access & Destination Points
-------------------------------------------------------------------------------
Identifier Type AdmMTU OprMTU Adm Opr
-------------------------------------------------------------------------------
sap:lag-1:601 q-tag 8936 8936 Up Up
sdp:3:601 M(192.0.2.5) Mesh 0 8910 Up Up
===============================================================================
The following command shows the encryption keygroup 1 with the associated SDPs: SDP 1 is configured manually, SDP 32767 is auto-provisioned by BGP-VPWS in Epipe 101, and SDP 32766 by BGP-VPLS in VPLS 201.
*A:NGE-1# show group-encryption encryption-keygroup 1
===============================================================================
Encryption Keygroup Configuration Detail
===============================================================================
Keygroup Id : 1
Keygroup Name : KG1
Description : None
Authentication Algo: sha256
Encryption Algo : aes128
Active Outbound SA : 1
Activation Time : 03/29/2023 09:14:59
-------------------------------------------------------------------------------
Security Associations
-------------------------------------------------------------------------------
Spi : 1
Install Time : 03/29/2023 09:14:59
Key CRC : 0xf57dcffc
Spi : 2
Install Time : 03/29/2023 09:14:59
Key CRC : 0x26134d07
Spi : 3
Install Time : 03/29/2023 09:14:59
Key CRC : 0xde19ce91
Spi : 4
Install Time : 03/29/2023 09:14:59
Key CRC : 0x5bbf4eb0
-------------------------------------------------------------------------------
Encryption Keygroup Forwarded Statistics
-------------------------------------------------------------------------------
Encrypted Pkts : 164 Encrypted Bytes : 15624
Decrypted Pkts : 149 Decrypted Bytes : 14204
-------------------------------------------------------------------------------
Encryption Keygroup Outbound Discarded Statistics (Pkts)
-------------------------------------------------------------------------------
Total Discard : 0 Other : 0
-------------------------------------------------------------------------------
Encryption Keygroup Inbound Discarded Statistics (Pkts)
-------------------------------------------------------------------------------
Total Discard : 0 Invalid Spi : 0
Authentication Failure *: 0 Padding Error : 0
Other : 0
---------------------------------------------------------------
SDP Keygroup Association Table
---------------------------------------------------------------
SDP ID Direction
---------------------------------------------------------------
1 Inbound Outbound
32766 Inbound Outbound
32767 Inbound Outbound
---------------------------------------------
Inbound Keygroup SDP Association Count: 3
Outbound Keygroup SDP Association Count: 3
---------------------------------------------------------------
---------------------------------------------------------------
VPRN Keygroup Association Table
---------------------------------------------------------------
VPRN SVC ID Direction
---------------------------------------------------------------
301 Inbound Outbound
---------------------------------------------
Inbound Keygroup VPRN Association Count: 1
Outbound Keygroup VPRN Association Count: 1
---------------------------------------------------------------
-------------------------------------------------------------------------------
Network Interface Association Table
-------------------------------------------------------------------------------
No entries found
-------------------------------------------------------------------------------
Wlan-GW Keygroup Association Table
-------------------------------------------------------------------------------
No entries found
===============================================================================
* indicates that the corresponding row element may have been truncated.
Conclusion
NGE is a security solution for encrypting traffic flows on a per-service basis. The NGE helper extends the NGE solution to 7750 SR and 7950 XRS platforms where larger core and PE nodes are required to participate with other NGE-capable nodes.