NGE domains

NGE domain overview

An NGE domain is a group of L3 router interfaces, L2 Ethernet ports, or both, enabled for NGE. The domain is configured on a key group.

An NGE domain has the following components:

When NGE is configured, an interface can receive unencrypted packets or NGE encrypted packets from any configured key group on the NE, but no other type of IPsec formatted packet is allowed. If an IPsec packet is received on an NGE-enabled interface, it will not pass NGE authentication and will be dropped. Therefore, IPsec packets are prohibited from existing within the NGE domain without first being converted to an NGE packet. This delineates the boundary of the NGE domain and other IPsec services.

The maximum number of domains per network is 64. The domains can be in the same key group or distributed across multiple key groups.

NGE domain sites

When two or more sites are added to the domain, the NFM-P performs an auto-population: L3 router interfaces are added if their addresses are in the same subnet as interfaces already in the domain, and L2 Ethernet ports are added based on the router interfaces. If the L2 Ethernet port associated to the L3 router interface has a LAG, all member ports will be added to the domain.

Cellular interfaces on 7705 SAR-Hm NEs are populated when the site is added to the domain, regardless of subnet.

Ports and interfaces can also be added, encrypted, and deleted manually.

A port or interface cannot be added to more than one domain.

The following domain site encryption statuses are supported:

NGE discovery

The NFM-P can add undiscovered NEs directly into an NGE domain. ACL IP exception filter policies are created automatically by the NFM-P and applied to a gateway interface to allow for NE discovery. A device discovery rule must be available; see Workflow for device discovery.

The NGE discovery process creates inbound and outbound ACL IP exception filters on the gateway NE. If the NSP server is restarted or switched to a secondary server during the NGE discovery process, the exception filters will become invalid and NGE discovery will fail. The NGE discovery process must be initiated again after the switchover or restart is completed. The NGE discovery process will be recovered from the failure state and the process will continue.

It is possible to delete a gateway interface during the NGE discovery process. The NGE discovery will continue but the ACL IP exception filter entries will not be removed automatically by the NFM-P after encryption has been enabled. You must manually delete the exception filter entries to resume traffic between the NFM-P and the encrypted NEs. The exception filter to be deleted will have the IP address of the site most recently managed using NGE discovery as its Destination IP or Source IP. See To configure an ACL IP exception filter policy.

L3 router interface encryption

Encryption for L3 interfaces in the NGE domain are configured with an inbound and an outbound key group: outbound packets are encrypted using the interface key group; inbound packets must be encrypted using the interface key group keys.

A security zone and NGE cannot be applied to the same interface.

L3 encryption exemption

It may be necessary for L3 packets to enter the NGE domain in clear text. To allow this, the NFM-P applies an ACL IP exception filter. See Filter policies for more information about filter policies.

L2 Ethernet port encryption

L2 encryption is configured on the Ethernet port. When L2 encryption is configured, all configured IS-IS and LLDP packets are encrypted using NGE.

L2 NGE encryption is enabled by configuring an outbound and inbound key group on the Ethernet port, similar to assigning key groups for router interface encryption, as described in L3 router interface encryption.

L2 Ethernet port encryption is not supported for VSR or 7705 SAR-Hm NEs.