anysec commands
configure
— anysec
— apply-groups reference
— apply-groups-exclude reference
— mka-over-ip
— mka-udp-port number
— reserved-label-block reference
— tunnel-encryption
— encryption-group named-item
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— ca-name reference
— encryption-label number
— peer (ipv4-address-no-zone | ipv6-address-no-zone)
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— peer-tunnel-attributes
— flex-algo-id number
— igp-instance-id number
— protocol keyword
— security-termination-policy reference
— security-termination-policy named-item
— admin-state keyword
— apply-groups reference
— apply-groups-exclude reference
— flex-algo-id number
— igp-instance-id number
— local-address (ipv4-address-no-zone | ipv6-address-no-zone)
— protocol keyword
— rx-must-be-encrypted boolean
anysec command descriptions
anysec
mka-over-ip
Synopsis | Enter the mka-over-ip context | |
Context | configure anysec mka-over-ip | |
Tree | mka-over-ip | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
mka-udp-port number
Synopsis | ANYSec MKA UDP port | |
Context | configure anysec mka-over-ip mka-udp-port number | |
Tree | mka-udp-port | |
Description | This command configures the UDP port that identifies the MKA packet on the system. Nokia recommends configuring this UDP port network wide. In addition, ensure the UDP port is not used by any other protocols in the network. | |
Range | 1024 to 49151 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
reserved-label-block reference
Synopsis | ANYSec reserved label block | |
Context | configure anysec reserved-label-block reference | |
Tree | reserved-label-block | |
Description | This command assigns the label block that is reserved for the ANYsec encryption SID. Without this reserved block, ANYsec cannot assign any encryption SIDs. The encryption SID uniquely identifies the encrypting node within a network and avoids double encryption scenarios. The encryption SID can be assigned per encryption group. However, all encryption groups can have the same encryption SID. To save label space, Nokia recommends limiting the number of encryption SIDs within a network. | |
Reference | configure router named-item-64 mpls-labels reserved-label-block named-item-64 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
tunnel-encryption
Synopsis | Enter the tunnel-encryption context | |
Context | configure anysec tunnel-encryption | |
Tree | tunnel-encryption | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
encryption-group [group-name] named-item
Synopsis | Enter the encryption-group list instance | |
Context | configure anysec tunnel-encryption encryption-group named-item | |
Tree | encryption-group | |
Description | Commands in this context create an encryption group. An encryption group is a group of LSPs that use the same CA and preshared keys (PSK). For ease of PSK management, SR OS allows a group of LSPs to use the same CA with the same PSKs. The PSK is used to secure the SAK for distribution to other PEERs. Note: Although the LSPs are unidirectional, ANYsec is a bidirectional concept where a pair of LSPs between two peers are encrypted and decrypted. Each pair of LSPs uses its own SAK for maximum security, although they may share the same CA and PSK with all other LSPs in the encryption group to secure the SAK. | |
Max. instances | 1023 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
[group-name] named-item
Synopsis | ANYsec encryption group name | |
Context | configure anysec tunnel-encryption encryption-group named-item | |
Tree | encryption-group | |
String length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
admin-state keyword
Synopsis | Administrative state of the encryption group | |
Context | configure anysec tunnel-encryption encryption-group named-item admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 23.3.R2 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
ca-name reference
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Connectivity association for the encryption group | |
Context | configure anysec tunnel-encryption encryption-group named-item ca-name reference | |
Tree | ca-name | |
Description | This command configures the CA used for this encryption group. A CA must be configured with the keyword anysec for use in the encryption group. | |
Reference | configure macsec connectivity-association string | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
encryption-label number
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Label identifying packets sent from the node to peers | |
Context | configure anysec tunnel-encryption encryption-group named-item encryption-label number | |
Tree | encryption-label | |
Description | This command creates an encryption SD for the encryption group. The encryption SID uniquely identifies the encrypting node within a network to avoid double encryption scenarios. The encryption SID can be assigned per encryption group. However, all encryption groups can have the same encryption SID. To save label space, Nokia recommends limiting the number of encryption SIDs within a network. To configure the encryption SID, a reserved-label-block command must be configured under the anysec context. The encryption SID is programmed at the bottom of the stack with the S-it set. | |
Range | 32 to 1048575 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
peer [peer-ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis | Enter the peer list instance | |
Context | configure anysec tunnel-encryption encryption-group named-item peer (ipv4-address-no-zone | ipv6-address-no-zone) | |
Tree | peer | |
Max. instances | 1023 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
[peer-ip-address] (ipv4-address-no-zone | ipv6-address-no-zone)
Synopsis | Peer IP address of the node SID | |
Context | configure anysec tunnel-encryption encryption-group named-item peer (ipv4-address-no-zone | ipv6-address-no-zone) | |
Tree | peer | |
Description | This command configures the IPv4 or IPv6 address of the node SID of the peer that is part of this encryption group. This configuration identifies the segment routing node SID of the peer and programs the egress label stack for matching on the FP5 for encrypting the LSP. When the label stack is downloaded, the encryption SID is also included at the bottom of the stack with the S-bit set. | |
Notes | This element is part of a list key. | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
admin-state keyword
Synopsis | Administrative state of the encryption group peer | |
Context | configure anysec tunnel-encryption encryption-group named-item peer (ipv4-address-no-zone | ipv6-address-no-zone) admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
peer-tunnel-attributes
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Enter the peer-tunnel-attributes context | |
Context | configure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes | |
Tree | peer-tunnel-attributes | |
Description | Commands in this context configure the peer-tunnel attributes. Tunnel attributes are used to match and identify the outgoing tunnels for encryptoin with ANYsec. A single tunnel attribute is used for multiple peers. Since an LSP is unidirectional, the outgoing tunnel can have different attributes from the incoming tunnel (for example, security termination policy). | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
flex-algo-id number
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Flexible algorithm ID | |
Context | configure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes flex-algo-id number | |
Tree | flex-algo-id | |
Description | This command configures the flexible algorithm ID. This ID must match the local terminating ANYsec tunnel. | |
Range | 128 to 255 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
igp-instance-id number
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | IGP instance ID | |
Context | configure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes igp-instance-id number | |
Tree | igp-instance-id | |
Description | This command configures the IGP instance ID. This IGP instance ID must match the IGP instance that the incoming encrypted LSP was signaled on. | |
Range | 0 to 31 | 64 to 95 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
protocol keyword
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Protocol used to advertise node SID of incoming tunnel | |
Context | configure anysec tunnel-encryption encryption-group named-item peer-tunnel-attributes protocol keyword | |
Tree | protocol | |
Options | ||
Default | sr-isis | |
Introduced | 23.10.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
security-termination-policy reference
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Security termination policy used by encryption group | |
Context | configure anysec tunnel-encryption encryption-group named-item security-termination-policy reference | |
Tree | security-termination-policy | |
Reference | configure anysec tunnel-encryption security-termination-policy named-item | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
security-termination-policy [policy-name] named-item
Synopsis | Enter the security-termination-policy list instance | |
Context | configure anysec tunnel-encryption security-termination-policy named-item | |
Tree | security-termination-policy | |
Max. instances | 1023 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
[policy-name] named-item
Synopsis | ANYsec security termination policy name | |
Context | configure anysec tunnel-encryption security-termination-policy named-item | |
Tree | security-termination-policy | |
String length | 1 to 32 | |
Notes | This element is part of a list key. | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
admin-state keyword
Synopsis | Administrative state of the security termination policy | |
Context | configure anysec tunnel-encryption security-termination-policy named-item admin-state keyword | |
Tree | admin-state | |
Options | ||
Default | disable | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
flex-algo-id number
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Flexible algorithm ID | |
Context | configure anysec tunnel-encryption security-termination-policy named-item flex-algo-id number | |
Tree | flex-algo-id | |
Description | This command configures the flexible algorithm ID. This ID must match the local terminating ANYsec tunnel. | |
Range | 128 to 255 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
igp-instance-id number
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | IGP instance ID | |
Context | configure anysec tunnel-encryption security-termination-policy named-item igp-instance-id number | |
Tree | igp-instance-id | |
Description | This command configures the IGP instance ID. This IGP instance ID must match the IGP instance that the incoming encrypted LSP was signaled on. | |
Range | 0 to 31 | 64 to 95 | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
local-address (ipv4-address-no-zone | ipv6-address-no-zone)
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Local address of node SID associated with ANYsec tunnel | |
Context | configure anysec tunnel-encryption security-termination-policy named-item local-address (ipv4-address-no-zone | ipv6-address-no-zone) | |
Tree | local-address | |
Description | This command configures the local IPv4 or IPv6 address for the system IP or loopback node SID. This is used to program the FP5 label stack to match the incoming ANYsec tunnel and decryption of the tunnel. | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
protocol keyword
WARNING: Modifying this element toggles the admin-state of the parent element automatically for the new value to take effect. | ||
Synopsis | Protocol used to advertise node SID of incoming tunnel | |
Context | configure anysec tunnel-encryption security-termination-policy named-item protocol keyword | |
Tree | protocol | |
Options | ||
Default | sr-isis | |
Introduced | 23.10.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |
rx-must-be-encrypted boolean
Synopsis | Enforce encryption for received packets | |
Context | configure anysec tunnel-encryption security-termination-policy named-item rx-must-be-encrypted boolean | |
Tree | rx-must-be-encrypted | |
Description | When configured to true, the router accepts all arriving traffic that is ANYsec secured on the port. All other traffic is dropped. When configured to false, the router accepts all arriving traffic on the port. | |
Default | false | |
Introduced | 23.3.R1 | |
Platforms | 7750 SR-1 (FP5), 7750 SR-1se |