Assigning a key group to an SDP, VPRN service, or PW template

A key group can be assigned to the following entities:

SDPs
VPRNs
PW templates

NGE supports encrypting the following services when key groups are assigned to an SDP, VPRN service, or PW template:

VLL services (Epipe or BGP-VPWS)
VPRN service using Layer 3 spoke-SDP termination
IES service using Layer 3 spoke-SDP termination
VPLS service using spoke and mesh SDPs
routed VPLS service into a VPRN or IES
MP-BGP-based VPRNs
BGP-VPLS and BGP-VPWS with auto-gre-sdp

For services that use SDPs, all tunnels may be either MPLS LSPs (RSVP-TE, LDP, or static LSP), or GRE or MPLSoUDP tunnels.

For MP-BGP services, resolving routes using spoke SDPs (spoke-sdp) or auto-bind SDPs (auto-bind-tunnel) is supported using LDP, GRE, RSVP-TE, or segment routing (SR-ISIS, SR-OSPF, or SR-TE).

Use the following CLI syntax to assign a key group to an SDP, VPRN service, or PW template:

Note: After assigning a key group to the PW template, the following tools command must be executed:

tools>perform>service>eval-pw-template>allow-service-impact

config>service# sdp sdp-id [create]
        — encryption-keygroup keygroup-id direction {inbound | outbound}

config>service# vprn service-id 
        — encryption-keygroup keygroup-id direction {inbound | outbound}

config>service# pw-template policy-id auto-gre-sdp [create]
        — encryption-keygroup keygroup-id direction {inbound | outbound}

The following examples display a key group assigned to an SDP, VPRN service, or PW template:

config>service# sdp 61 create
    config>service>sdp# encryption-keygroup 4 direction inbound
    config>service>sdp# encryption-keygroup 4 direction outbound

config>service# vprn 22
    config>service>vprn# encryption-keygroup 2 direction inbound
    config>service>vprn# encryption-keygroup 2 direction outbound

config>service# pw-template 12 auto-gre-sdp create
    config>service>pw-template# encryption-keygroup 4 direction inbound
    config>service>pw-template# encryption-keygroup 4 direction outbound
    config>service>pw-template# exit all
    tools>perform>service>eval-pw-template>allow-service-impact

The following example displays key group configuration for an SDP or a VPRN service.

domain1>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 4 direction inbound
            encryption-keygroup 4 direction outbound
        exit
...
        vprn 22 customer 1 create
            shutdown
            encryption-keygroup 2 direction inbound
            encryption-keygroup 2 direction outbound
        exit
...
----------------------------------------------