NGE management tasks

This section describes NGE management tasks.

Modifying a key group

Note: The following conditions apply for the classic CLI.

When modifying a key group, the user must adhere to the following conditions:

  • The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.

  • The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.

  • Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that uses the key group.

The following example displays the modification of a key group using the following steps:

  1. In the classic CLI, the active outgoing SA is deconfigured.
  2. In the classic CLI, the SAs are removed.
  3. The encryption algorithm is changed.
  4. The SAs are reconfigured.
  5. The active outgoing SA is reconfigured.

MD-CLI

*[ex:/configure group-encryption]
A:admin@node-2# encryption-keygroup 1

*[ex:/configure group-encryption encryption-keygroup 1]
A:admin@node-2# encryption-algorithm aes256

*[ex:/configure group-encryption encryption-keygroup 1]
A:admin@node-2# security-association 6 authentication-key 0x6666666600000000666666660000000066666666000000006666666600000000

*[ex:/configure group-encryption encryption-keygroup 1]
A:admin@node-2# security-association 6 encryption-key 0x6666666600000000666666660000000066666666000000006666666600000000

*[ex:/configure group-encryption encryption-keygroup 1]
A:admin@node-2# active-outbound-security-association 6

classic CLI

*A:node-2>config>grp-encryp# encryption-keygroup 1
*A:node-2>config>grp-encryp>encryp-keygrp# no active-outbound-sa
*A:node-2>config>grp-encryp>encryp-keygrp# no security-association spi 6
*A:node-2>config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes256
*A:node-2>config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x6666666600000000666666660000000066666666000000006666666600000000 encryption-key 0x6666666600000000666666660000000066666666000000006666666600000000
*A:node-2>config>grp-encryp>encryp-keygrp# active-outbound-sa 6

Removing a key group

Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Specifying a keygroup-id is optional.

Removing a key group from an SDP, VPRN service, PW template, or WLAN-GW group interface

Use the following commands to remove a key group from an SDP, VPRN service, PW template, or WLAN-GW group interface:

Note: Key groups can only be assigned to SDPs or VPRNs using the classic CLI commands.
  • MD-CLI
    configure service pw-template delete encryption-keygroup inbound
configure service pw-template delete encryption-keygroup outbound
configure service vprn subscriber-interface group-interface wlan-gw group-encryption delete encryption-keygroup-inbound
configure service vprn subscriber-interface group-interface wlan-gw group-encryption delete encryption-keygroup-outbound
  • classic CLI
    configure service sdp no encryption-keygroup direction {inbound | outbound}
configure service vprn no encryption-keygroup direction {inbound | outbound}
configure service pw-template no encryption-keygroup direction {inbound | outbound}
configure service vprn subscriber-interface group-interface wlan-gw group-encryption no encryption-keygroup direction {inbound | outbound}
Note: After removing a key group to the PW template, the following command must be executed.
tools perform service eval-pw-template allow-service-impact

Changing key groups

To change a key group requires a removal, a change, and an installation of the key group.

  1. Remove the inbound direction key group.
  2. Change the outbound direction key group.
  3. Install the new inbound direction key group.

Changing the key group for an SDP, VPRN service, PW template, or WLAN-GW group interface

Changing key groups for an SDP, VPRN service, PW template, or WLAN-GW group interface must be performed on all nodes for the service.

To change the key group on an SDP, VPRN service, PW template, or WLAN-GW group interface, perform the task as described in: Changing key groups.

Note: Key groups can only be changed on SDPs and VPRNs using the classic CLI commands.
Note: For PW template changes, the following command must be executed after the changes are made.
tools perform service eval-pw-template allow-service-impact

Deleting a key group from an NGE node

To delete a key group from an NGE node, the key group must be removed (unbound) from all SDPs, VPRN services, PW templates, and router interfaces that use it.

Note: When deleting a key group from a PW template, the following command must be executed after the encryption keygroup changes are made.
tools perform service eval-pw-template allow-service-impact

Use the following command to locate the key group bindings.

show group-encryption encryption-keygroup

Use the following command to delete a key group:

  • MD-CLI
    configure group-encryption delete encryption-keygroup
  • classic CLI
    configure group-encryption no encryption-keygroup