Configuration commands
anysec
Syntax
anysec
Context
config
Description
This command enables the context to configure ANYsec commands.
Default
n/a
mka-over-ip
Syntax
mka-over-ip
Context
config>anysec
Description
This command enables the context to configure the MACsec Key Agreement (MKA) over IP.
Default
n/a
mka-udp-port
Syntax
mka-udp-port port
no mka-udp-port
Context
config>anysec>mka-over-ip
Description
This command configures the UDP port that identifies the MKA packet on the system.
Nokia recommends configuring this UDP port network wide. In addition, ensure the UDP port is not used by any other protocols in the network.
The no form of this command removes the configured UDP port.
Default
no mka-udp-port
Parameters
- port
- the UPD port that identifies the MKA packet
reserved-label-block
Syntax
reserved-label-block name
no reserved-label-block
Context
config>anysec
Description
This command assigns an existing label block reserved for ANYsec encryption SIDs. The label block must have been configured with the config>router>mpls-labels>reserved-label-block command. Without the reserved label block, ANYsec cannot assign encryption SIDs.
The encryption SID uniquely identifies the encrypting node within a network and avoids double encryption scenarios. The encryption SID can be assigned per encryption group. However, all encryption groups can have the same encryption SID.
To save label space, Nokia recommends limiting the number of encryption SIDs within a network.
The no form of this command removes the reserved label block.
Default
no reserved-label-block
Parameters
- name
- specifies the name of an existing reserved label block to use
security-termination-policies
Syntax
security-termination-policies
Context
config>anysec
Description
This command enables the context to configure local security termination policies.
Default
n/a
policy
Syntax
policy policy-name [create]
no policy policy-name
Context
config>anysec>sec-term-pols
Description
This command configures an ANYsec security termination policy for locally terminating tunnels.
The no form of this command removes the security termination policy.
Default
no policy
Parameters
- policy-name
- the local security termination policy name, up to 32 characters
- create
-
keyword required when first creating the policy. When the policy is created, you can navigate into the context without the create keyword.
igp-instance-id
Syntax
igp-instance-id id
Context
config>anysec>sec-term-pols>policy
config>anysec>tnl-enc>enc-grp>peer-tnl-attrs
Description
This command configures the IGP instance ID.
For security termination policies, the IGP instance ID must match the IGP instance that the incoming encrypted LSP was signaled on.
For tunnel encryption, IGP instance ID must be a match for the outgoing tunnel. This IGP instance ID should match the IGP instance the LSP is being signaled on in order for ANYsec to encrypt the LSP.
Default
igp-instance-id 0
Parameters
- id
- the IGP instance used to tunnel packets for the session.
local-address
Syntax
local-address ip-address | ipv6-address
no local-address
Context
config>anysec>sec-term-pols>policy
Description
This command configures the local IPv4 or IPv6 address for the system IP or loopback node SID. This is used to identify the LSP as an incoming ANYsec tunnel and will configure the datapath for decryption of this LSP.
The no form of this command removes the IP address that is associated with ANYsec decryption.
Default
no local-address
Parameters
- ip-address
- the IPv4 address of the local address
- ipv6-address
- the IPv6 address of the local address
protocol
Syntax
protocol protocol
Context
config>anysec>sec-term-pols>policy
Description
This command configures a routing protocol that is used to advertise the node SID of the incoming tunnel.
Default
protocol sr-isis
Parameters
- protocol
- the protocol name to match on
rx-must-be-encrypted
Syntax
[no] rx-must-be-encrypted
Context
config>anysec>sec-term-pols>policy
Description
This command specifies whether all traffic that is not secured using ANYsec that is received on the port is dropped.
When the command is enabled, all arriving traffic that is not secured using MACsec is dropped.
The no form of the command accepts all traffic received on the port whether or not it is secured by ANYsec.
Default
no rx-must-be-encrypted
shutdown
Syntax
[no] shutdown
Context
config>anysec>sec-term-pols>policy
Description
This command places the tunnel in an operationally down state, causing traffic to drop but leaving ANYsec enabled.
The no form of this command places the tunnel in an operationally up state.
Default
shutdown
tunnel-encryption
Syntax
tunnel-encryption
Context
config>anysec
Description
This command enables the context to configure tunnel encryption.
Default
n/a
encryption-group
Syntax
encryption-group group-name [create]
no encryption-group group-name
Context
config>anysec>tnl-enc
Description
This command creates an encryption group.
An encryption group is a group of LSPs that use the same CA and the same PSKs. The PSK is used to secure the SAK for distribution to other peers.
The no form of the command removes the encryption group.
Default
no encryption-group
Parameters
- group-name
- the encryption group name, up to 32 characters
- create
-
keyword required when first creating the encryption group. When the encryption group is created, you can navigate into the context without the create keyword.
ca-name
Syntax
ca-name ca-name
no ca-name
Context
config>anysec>tnl-enc>enc-grp
Description
This command assigns an existing CA to be used for this encryption group. The CA must have been configured for ANYsec with the config>macsec>connectivity-association>anysec command.
The no form of this command removes the CA.
Default
no ca-name
Parameters
- ca-name
- specifies the name of an existing ANYsec CA to use
encryption-label
Syntax
encryption-label label
no encryption-label
Context
config>anysec>tnl-enc>enc-grp
Description
This command creates an encryption group label ID.
The encryption SID uniquely identifies the encrypting node within a network to avoid double encryption scenarios. The encryption SID can be assigned per encryption group. To save label space, Nokia recommends limiting the number of encryption SIDs within a network. To configure the encryption SID, a reserved-label-block command must be configured under the anysec context. The encryption SID is programmed at the bottom of the stack with S bit set if there is no entropy label present. If the entropy label is present, it will be at the bottom of the label stack and the S bit will be set on the entropy label instead of the encryption SID.
The no form of this command removes the encryption group label.
Default
no encryption-label
Parameters
- label
- specifies the encryption group label ID
peer
Syntax
peer ip-address | ipv6-address [create]
no peer ip-address | ipv6-address
Context
config>anysec>tnl-enc>enc-grp
Description
This command configures the IPv4 or IPv6 address of the peer's node SID that is part of this encryption group.
This configuration identifies the peer's segment routing node SID and programs the datapath for encryption of the LSP. When the label stack is downloaded, the encryption SID is also included at the bottom of the stack with the S bit set if there is no entropy label present. If the entropy label is present, it will be at the bottom of the label stack and the S bit will be set on the entropy label instead of the encryption SID.
The no form of this command removes the peer's node SID from the ANYsec configuration. Therefore, the LSP is not encrypted and all the traffic is transmitted in clear text.
Default
no peer
Parameters
- ip-address
- the IPv4 address of the peer's node SID
- ipv6-address
- the IPv6 address of the peer's node SID
- create
-
keyword required when first configuring the IPv4 or IPv6 address of the peer's node SID. When the peer is configured, you can navigate into the context without the create keyword.
shutdown
Syntax
[no] shutdown
Context
config>anysec>tnl-enc>enc-grp>peer
Description
This command shuts down the ANYsec and encryption to the peer.
When ANYsec is shutdown to the peer, clear traffic is forwarded on the LSP to the peer.
The no form of this command enables ANYsec and encryption to the peer.
Default
shutdown
peer-tunnel-attributes
Syntax
peer-tunnel-attributes
Context
config>anysec>tnl-enc>enc-grp
Description
This command enters the context to configure the peer tunnel attributes.
Tunnel attributes are used to match and identify the outgoing tunnels for encryption with ANYsec. A single tunnel attribute is used for multiple peers. Because an LSP is unidirectional, the outgoing tunnel can have different attributes from the incoming tunnel (for example, security termination policy).
Default
n/a
protocol
Syntax
protocol protocol
Context
config>anysec>tnl-enc>enc-grp>peer-tnl-attrs
Description
Default
protocol sr-isis
Parameters
- protocol
- the protocol name to match on
security-termination-policy
Syntax
security-termination-policy policy
no security-termination-policy
Context
config>anysec>tnl-enc>enc-grp
Description
This command configures the local security termination policy parameters.
The no form of this command removes the security termination policy.
Default
no security-termination-policy
Parameters
- policy
- the local security termination policy name, up to 32 characters
shutdown
Syntax
[no] shutdown
Context
config>anysec>tnl-enc>enc-grp
Description
This command shuts down the ANYsec on the encryption group.
When ANYsec is shut down, clear traffic is forwarded on all the LSPs in the encryption group.
The no form of this command enables ANYsec and encryption for the encryption group.
Default
shutdown