A key group can be assigned to the following entities:
SDPs
VPRNs
PW templates
NGE supports encrypting the following services when key groups are assigned to an SDP, VPRN service, or PW template:
VLL services (Epipe or BGP-VPWS)
VPRN service using Layer 3 spoke-SDP termination
IES service using Layer 3 spoke-SDP termination
VPLS service using spoke and mesh SDPs
routed VPLS service into a VPRN or IES
MP-BGP-based VPRNs
BGP-VPLS and BGP-VPWS with auto-gre-sdp
For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP), or GRE or MPLSoUDP tunnels.
For MP-BGP services, resolving routes using spoke SDPs (spoke-sdp) or auto-bind SDPs (auto-bind-tunnel) is supported using LDP, GRE, RSVP-TE, or segment routing (SR-ISIS, SR-OSPF, or SR-TE).
Use the following CLI syntax to assign a key group to an SDP, VPRN service, or PW template.
After assigning a key group to the PW template, the following tools command must be executed:
tools>perform>service>eval-pw-template>allow-service-impact
config>service# sdp sdp-id [create]
— encryption-keygroup keygroup-id direction {inbound | outbound}
config>service# vprn service-id
— encryption-keygroup keygroup-id direction {inbound | outbound}
config>service# pw-template policy-id auto-gre-sdp [create]
— encryption-keygroup keygroup-id direction {inbound | outbound}
The following examples display a key group assigned to an SDP, VPRN service, or PW template:
config>service# sdp 61 create
config>service>sdp# encryption-keygroup 4 direction inbound
config>service>sdp# encryption-keygroup 4 direction outbound
config>service# vprn 22
config>service>vprn# encryption-keygroup 2 direction inbound
config>service>vprn# encryption-keygroup 2 direction outbound
config>service# pw-template 12 auto-gre-sdp create
config>service>pw-template# encryption-keygroup 4 direction inbound
config>service>pw-template# encryption-keygroup 4 direction outbound
config>service>pw-template# exit all
tools>perform>service>eval-pw-template>allow-service-impact
The following example displays key group configuration for an SDP or a VPRN service.
domain1>config>service# info
----------------------------------------------
...
sdp 61 create
shutdown
far-end 10.10.10.10
exit
encryption-keygroup 4 direction inbound
encryption-keygroup 4 direction outbound
exit
...
vprn 22 customer 1 create
shutdown
encryption-keygroup 2 direction inbound
encryption-keygroup 2 direction outbound
exit
...
----------------------------------------------