NGE management tasks
This section describes NGE management tasks.
Modifying a key group
When modifying a key group, observe the following conditions:
-
The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.
-
The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.
-
Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group.
In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA.
MD-CLI
[ex:/configure group-encryption encryption-keygroup]
A:admin@node-2# delete security-association
delete active-outbound-security-association
esp-encryption-algorithm
security-association authentication-key encryption-key
active-outbound-security-association classic CLI
A:node-2>config>grp-encryp encryption-keygroup
no security-association spi
no active-outbound-sa
esp-encryption-algorithm
security-association spi authentication-key encryption-key
active-outbound-sa Removing a key group
Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Specifying a keygroup-id is optional.
Removing a key group from an SDP, VPRN service, PW template, or WLAN-GW group interface
Use the following commands to remove a key group from an SDP, VPRN service, PW template, or WLAN-GW group interface:
- MD-CLI
configure service pw-template delete encryption-keygroup inbound configure service pw-template delete encryption-keygroup outbound configure service vprn subscriber-interface group-interface wlan-gw group-encryption delete encryption-keygroup-inbound configure service vprn subscriber-interface group-interface wlan-gw group-encryption delete encryption-keygroup-outbound - classic
CLI
configure service sdp no encryption-keygroup direction {inbound | outbound} configure service vprn no encryption-keygroup direction {inbound | outbound} configure service pw-template no encryption-keygroup direction {inbound | outbound} configure service vprn subscriber-interface group-interface wlan-gw group-encryption no encryption-keygroup direction {inbound | outbound}
tools perform service eval-pw-template allow-service-impactChanging key groups
To change a key group requires a removal, a change, and an installation of the key group.
- Remove the inbound direction key group.
- Change the outbound direction key group.
- Install the new inbound direction key group.
Changing the key group for an SDP, VPRN service, PW template, or WLAN-GW group interface
Changing key groups for an SDP, VPRN service, PW template, or WLAN-GW group interface must be performed on all nodes for the service.
To change the key group on an SDP, VPRN service, PW template, or WLAN-GW group interface, perform the task as described in: Changing key groups.
tools perform service eval-pw-template allow-service-impactDeleting a key group from an NGE node
To delete a key group from an NGE node, the key group must be removed (unbound) from all SDPs, VPRN services, PW templates, and router interfaces that use it.
tools perform service eval-pw-template allow-service-impactUse the following command to locate the key group bindings.
show group-encryption encryption-keygroupUse the following command to delete a key group:
- MD-CLI
configure group-encryption delete encryption-keygroup - classic
CLI
configure group-encryption no encryption-keygroup