NGE management tasks

This section describes NGE management tasks.

Modifying a key group

When modifying a key group, observe the following conditions:

  • The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.

  • The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.

  • Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group.

In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA.

MD-CLI

[ex:/configure group-encryption encryption-keygroup]
A:admin@node-2# delete security-association
            delete active-outbound-security-association
            esp-encryption-algorithm
            security-association authentication-key encryption-key
            active-outbound-security-association 

classic CLI

A:node-2>config>grp-encryp encryption-keygroup 
            no security-association spi
            no active-outbound-sa
            esp-encryption-algorithm
            security-association spi authentication-key encryption-key
            active-outbound-sa 

Removing a key group

Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Specifying a keygroup-id is optional.

Removing a key group from an SDP, VPRN service, PW template, or WLAN-GW group interface

Use the following commands to remove a key group from an SDP, VPRN service, PW template, or WLAN-GW group interface:

Note: Key groups can only be assigned to SDPs or VPRNs using the classic CLI commands.
  • MD-CLI
    configure service pw-template delete encryption-keygroup inbound
    configure service pw-template delete encryption-keygroup outbound
    configure service vprn subscriber-interface group-interface wlan-gw group-encryption delete encryption-keygroup-inbound
    configure service vprn subscriber-interface group-interface wlan-gw group-encryption delete encryption-keygroup-outbound
  • classic CLI
    configure service sdp no encryption-keygroup direction {inbound | outbound}
    configure service vprn no encryption-keygroup direction {inbound | outbound}
    configure service pw-template no encryption-keygroup direction {inbound | outbound}
    configure service vprn subscriber-interface group-interface wlan-gw group-encryption no encryption-keygroup direction {inbound | outbound} 
Note: After removing a key group to the PW template, the following command must be executed.
tools perform service eval-pw-template allow-service-impact

Changing key groups

To change a key group requires a removal, a change, and an installation of the key group.

  1. Remove the inbound direction key group.
  2. Change the outbound direction key group.
  3. Install the new inbound direction key group.

Changing the key group for an SDP, VPRN service, PW template, or WLAN-GW group interface

Changing key groups for an SDP, VPRN service, PW template, or WLAN-GW group interface must be performed on all nodes for the service.

To change the key group on an SDP, VPRN service, PW template, or WLAN-GW group interface, perform the task as described in: Changing key groups.

Note: Key groups can only be changed on SDPs and VPRNs using the classic CLI commands.
Note: For PW template changes, the following command must be executed after the changes are made.
tools perform service eval-pw-template allow-service-impact

Deleting a key group from an NGE node

To delete a key group from an NGE node, the key group must be removed (unbound) from all SDPs, VPRN services, PW templates, and router interfaces that use it.

Note: When deleting a key group from a PW template, the following command must be executed after the encryption keygroup changes are made.
tools perform service eval-pw-template allow-service-impact

Use the following command to locate the key group bindings.

show group-encryption encryption-keygroup

Use the following command to delete a key group:

  • MD-CLI
    configure group-encryption delete encryption-keygroup
  • classic CLI
    configure group-encryption no encryption-keygroup