Configuring NGE with CLI
NGE is fully managed by the NSP NFM-P. The NSP NFM-P ensures correct network synchronization of key groups, services, and NGE domains. Managing NGE without the NSP NFM-P is not recommended. See the NSP NFM-P User Guide for more information.
This section provides information about configuring NGE using the command line interface.
Basic NGE configuration overview
- Configure the group encryption label. The label must be unique, and the same label must be used on all nodes in the network group.
-
Create a key group, duplicating this configuration on all nodes participating
in this key group.
- Configure the encryption and authentication algorithms for the group.
- Configure a security association (SA) that contains the encryption and authentication keys.
- Configure the active outbound SA for the group.
-
Select the SDPs, VPRN services, or router interfaces that require
encryption.
- For each SDP, VPRN service, or router interface, configure the outbound direction key group.
- For each SDP, VPRN service, or router interface, configure the inbound direction key group.
Configuring NGE components
Use the CLI syntax in the subsequent sections to configure NGE.
Configuring the global encryption label
The global encryption label is the network-wide, unique MPLS encryption label used for all nodes in the network group. The same encryption label must be configured on each node in the group.
Use the following command to configure the global encryption label.
configure group-encryption group-encryption-label
Configuring a key group
To configure a key group, set the following command options:
-
encryption and authentication algorithms
-
security association
-
active outbound SA
The authentication and encapsulation keys must contain the exact number of hexadecimal characters required by the algorithm used. For example, using sha256 requires 64 hexadecimal characters.
Keys are entered in cleartext using the following command:
configure group-encryption encryption-keygroup security-associationOnce entered, keys are never displayed in their original, clear text form. Keys are displayed in an encrypted form, which is indicated by the system-appended crypto keyword when an info command is run.
The NGE node also includes the crypto keyword with an admin save operation so that the NGE node can decrypt the keys when reloading a configuration database. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).
Use the commands in the following context to configure key group options.
configure group-encryption encryption-keygroupThe following example displays the key group configuration.
MD-CLI
[ex:/configure group-encryption]
A:admin@node-2# info detail
group-encryption-label 34
encryption-keygroup 2 {
description "Main_secure_KG"
keygroup-name "KG1_secure"
authentication-algorithm sha256
encryption-algorithm aes128
active-outbound-security-association 6
security-association 2 {
authentication-key "0XLyKVjy88fjyz0FGgpoklHAPB8344vN42vv6LMy5Zy1e08aiZe2CLaLstrqXQaw" hash2
encryption-key "bxYkRG2enIPs85zNMSDhX1BzGMaro8TAIFrwcysTRf8= hash2"
}
security-association 6 {
authentication-key "RmzyeCJNICozfGXXQ4jfBQ1zRbW6nf5GcjTuCYSjQCAri1ufVhABj9NoZqcmtwb8" hash2
encryption-key "jWYIDREOTd3jeViBBprxGQ4Dixn87UypaM1dNosk7Iw= hash2"
}
}
classic CLI
A:node-2>config>grp-encryp# info detail
----------------------------------------------
group-encryption-label 34
encryption-keygroup 2 create
description "Main_secure_KG"
keygroup-name "KG1_secure"
esp-auth-algorithm sha256
esp-encryption-algorithm aes128
security-association spi 2 authentication-
key 0x78d9e66a6669bd17454fe3184 ee161315b67adb8912949ceda20b6b741eb63604abe17de478e2
4723a7d1d5f7b6ffafc encryption-
key 0x8d51db8f826239f672457442cecc73665f52cbe00aedfb4eda6166001247b4eb crypto
security-association spi 6 authentication-key 0x7fb9fc5553630924ee29973f
7b0a48f801b0ae1cb38b7666045274476a268e8d694ab6aa7ea050b7a43cdf8d80977625 encryption-
key 0x72bd9b87841dbebcb2d114031367ab5d9153a41b7c79c8f889ac56b950d8fffa crypto
active-outbound-sa 6
exit
----------------------------------------------Assigning a key group to an SDP, VPRN service, PW template, or WLAN-GW group interface
A key group can be assigned to the following entities:
-
SDPs
-
VPRNs
-
PW templates
-
WLAN-GW group interface
NGE supports encrypting the following services when key groups are assigned to an SDP, VPRN service, PW template, or WLAN-GW group interface:
-
VLL services (Epipe or BGP-VPWS)
-
VPRN service using Layer 3 spoke-SDP termination
-
IES service using Layer 3 spoke-SDP termination
-
VPLS service using spoke and mesh SDPs
-
routed VPLS service into a VPRN or IES
-
MP-BGP-based VPRNs
-
BGP-VPLS and BGP-VPWS with an auto-created GRE SDP
For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP), or GRE or MPLSoUDP tunnels.
For MP-BGP services, resolving routes using spoke SDPs or auto-bind SDPs is supported using LDP, GRE, RSVP-TE, or segment routing (SR-ISIS, SR-OSPF, or SR-TE).
Use the following commands to assign a key group to an SDP, VPRN service, or PW template:
- MD-CLI
configure service pw-template encryption-keygroup inbound configure service pw-template encryption-keygroup outbound configure service vprn subscriber-interface group-interface wlan-gw group-encryption encryption-keygroup-inbound configure service vprn subscriber-interface group-interface wlan-gw group-encryption encryption-keygroup-outbound - classic
CLI
configure service sdp encryption-keygroup direction {inbound | outbound} configure service vprn encryption-keygroup direction {inbound | outbound} configure service pw-template encryption-keygroup direction {inbound | outbound} configure service vprn subscriber-interface group-interface wlan-gw group-encryption encryption-keygroup direction {inbound | outbound}
tools perform service eval-pw-template allow-service-impact