4.11. NGE Configuration Command Reference

4.11.1. Command Hierarchies

  1. Configuration Commands
    1. NGE Commands
    2. Services Commands
    3. Router Interface Encryption Commands

4.11.1.1. Configuration Commands

4.11.1.1.1. NGE Commands

config
group-encryption
encryption-keygroup keygroup-id [create]
— no encryption-keygroup keygroup-id
active-outbound-sa spi
— no active-outbound-sa
description description-string
— no description
esp-auth-algorithm {sha256 | sha512}
— no esp-auth-algorithm
esp-encryption-algorithm {aes128 | aes256}
— no esp-encryption-algorithm
keygroup-name keygroup-name
— no keygroup-name
security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
— no security-association spi spi
group-encryption-label encryption-label
— no group-encryption-label

4.11.1.1.2. Services Commands

config
— service
— sdp
encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}
— vprn
encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}

4.11.1.1.3. Router Interface Encryption Commands

config
— router
[no] interface ip-int-name
[no] group-encryption
— encryption-keygroup keygroup-id direction {inbound | outbound}
— no encryption-keygroup direction {inbound | outbound}
— ip-exception filter-id direction {inbound | outbound}
— no ip-exception direction {inbound | outbound}

Refer to the “IP Router Configuration Command Reference” section in the 7450 ESS, 7750 SR, and 7950 XRS Router Configuration Guide for information about these router interface encryption commands.

4.11.2. Command Descriptions

4.11.2.1. Generic Commands

description

Syntax 
description description-string
no description
Context 
config>grp-encryp>encryp-keygrp
Description 

This command is used to add a description to the key group being referenced.

The no form of the command reverts to the default value.

Parameters 
description-string—
The description of the key group, up to 80 characters.

4.11.2.2. Group Encryption Commands

group-encryption

Syntax 
group-encryption
Context 
config
Description 

This command enables the context to configure group encryption parameters.

encryption-keygroup

Syntax 
encryption-keygroup keygroup-id [create]
no encryption-keygroup keygroup-id
Context 
config>grp-encryp
Description 

This command is used to create a key group. Once the key group is created, use the command to enter the key group context or delete a key group.

The no form of the command removes the key group. Before using the no form, the key group association must be deleted from all services that are using this key group.

Parameters 
keygroup-id—
The number or name of the key group being referenced.
Values—
1 to 15, or keygroup-name (up to 64 characters)

 

create—
Creates a key group.

active-outbound-sa

Syntax 
active-outbound-sa spi
no active-outbound-sa
Context 
config>grp-encryp>encryp-keygrp
Description 

This command specifies the Security Association, referenced by the Security Parameter Index (SPI), to use when performing encryption and authentication on NGE packets egressing the node for all services configured using this key group.

The no form of the command returns the parameter to its default value and is the same as removing this key group from all outbound direction key groups in all services configured with this key group (that is, all packets of services using this key group will egress the node in without being encrypted).

Parameters 
spi—
Specifies the SPI to use for packets of services using this key group when egressing the node.
Values—
1 to 127

 

esp-auth-algorithm

Syntax 
esp-auth-algorithm {sha256 | sha512}
no esp-auth-algorithm
Context 
config>grp-encryp>encryp-keygrp
Description 

This command specifies the hashing algorithm used to perform authentication on the Encapsulating Security Payload (ESP) within NGE packets for services configured using this key group. All SPI entries must be deleted before the no form of the command may be entered or the esp-auth-algorithm value changed from its current value.

The no form of the command reverts to the default value.

Default 

sha256

Parameters 
sha256—
Configures the ESP to use the HMAC-SHA-256 algorithm for authentication.
sha512—
Configures the ESP to use the HMAC-SHA-512 algorithm for authentication.

esp-encryption-algorithm

Syntax 
esp-encryption-algorithm {aes128 | aes256}
no esp-encryption-algorithm
Context 
config>grp-encryp>encryp-keygrp
Description 

This command specifies the encryption algorithm used to perform encryption on the Encapsulating Security Payload (ESP) within NGE packets for services configured using this key group. All SPI entries must be deleted before the no form of the command may be entered or the esp-encryption-algorithm value changed from its current value.

The no form of the command resets the parameter to the default value.

Default 

aes128

Parameters 
aes128—
Configures the AES algorithm with a block size of 128 bits—a very strong algorithm choice.
aes256—
Configures the AES algorithm with a block size of 256 bits—the strongest available version of AES.

keygroup-name

Syntax 
keygroup-name keygroup-name
no keygroup-name
Context 
config>grp-encryp>encryp-keygrp
Description 

This command is used to name the key group. The key group name can be used to reference a key group when configuring services or displaying information.

The no form of the command reverts to the default value.

Parameters 
keygroup-name—
The name of the key group, up to 64 characters.

security-association

Syntax 
security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
no security-association spi spi
Context 
config>grp-encryp>encryp-keygrp
Description 

This command is used to create a security association for a specific SPI value in a key group. The command is also used to enter the authentication and encryption key values for the security association, or to delete a security association.

The SPI value used for the security association is a node-wide unique value, meaning that no two security associations in any key group on the node may share the same SPI value.

Keys are entered in clear text. After configuration, they are never displayed in their original, clear text form. Keys are displayed in an encrypted form, which is indicated by the system-appended crypto keyword when an info or an admin>save command is run. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

The no form of the command removes the security association and related key values from the list of security associations for the key group. If the no form of the command is attempted using the same SPI value that is configured for active-outbound-sa, then a warning is issued and the command is blocked. If the no form of the command is attempted on the last SPI in the key group and the key group is configured on a service, then the command is blocked.

Parameters 
spi—
Specifies the SPI ID of the SPI being referenced for the security association.
Values—
1 to 127

 

authentication-key—
Specifies the authentication key for the SPI, in hexadecimal format. The number of characters in the hexadecimal string must be 64 or 128, depending on whether the authentication algorithm is set to sha256 or sha512, respectively.
encryption-key—
Specifies the encryption key for the SPI, in hexadecimal format. The number of characters in the hexadecimal string must be 32 or 64, depending on whether the encryption algorithm is set to aes128 or aes256, respectively.
crypto—
Displays the keys showing on the CLI info display in an encrypted form.

group-encryption-label

Syntax 
group-encryption-label encryption-label
no group-encryption-label
Context 
config>grp-encryp
Description 

This command configures the group encryption label used to identify when an MPLS payload is encrypted. This label must be unique network-wide and must be configured consistently on all nodes participating in a network group encryption domain. The label cannot be changed or deleted when there are any key groups configured on the node.

The no form of the command reverts to the default setting.

Parameters 
encryption-label—
The network-wide, unique reserved MPLS label for group encryption.
Values—
32 to 2047

 

4.11.2.3. Services Commands

encryption-keygroup

Syntax 
encryption-keygroup keygroup-id direction {inbound | outbound}
no encryption-keygroup direction {inbound | outbound}
Context 
config>service>sdp
config>service>vprn
Description 

This command is used to bind a key group to an SDP or VPRN service for inbound or outbound packet processing. When configured in the outbound direction, packets egressing the node use the active-outbound-sa associated with the key group configured. When configured in the inbound direction, received packets must be encrypted using one of the valid security associations configured for the key group. Services using the SDP will be encrypted.

The encryption (enabled or disabled) configured on an SDP used to terminate a Layer 3 spoke SDP of a VPRN always overrides any VPRN-level configuration for encryption.

Encryption is enabled once the outbound direction is configured.

The no form of the command removes the key group from the SDP or service in the specified direction (inbound or outbound).

Parameters 
keygroup-id—
The number of the key group being configured.
Values—
1 to 15 or keygroup-name (up to 64 characters)

 

direction {inbound | outbound}
Specifies the direction of the service that the keygroup will be bound to.