Encryption rules define what data flow (source and destination) to protect, the action to perform if a packet matches the rule criteria, and the policy enforcement points.

Each encryption rule contains instructions that determine what to do with each network packet based on its packet properties:

  • Encrypt/decrypt the packet and perform an integrity check.

  • Perform an integrity check (but do not encrypt the packet).

  • Allow the packet to pass as is (allow in plain).

For each network packet, encryption rules are processed in priority order, starting with the first rule in the first section. Rule sequence affects your results. See How DNE Processes Network Packets.

The following table describes the columns in the encryption rule screen.

Column Name

Description

#

Unique number that defines the position of this encryption rule in the section, starting with 1 as the first encryption rule in the list. The position determines the order in which this rule is evaluated. When you move a rule up or down in the list, the system updates the numbers automatically.

Name

Name of this rule.

ID

Unique system-generated ID for each encryption rule. Read only.

Sources

These fields match the source address in the packet. It consists of an individual or a homogeneous collection (NS Groups / Containers) of the following logical constructs:

  • Logical port

  • Logical switch

  • NSGroup

Destinations

Matches the destination address in the packet. It consists of an individual or a homogeneous collection (NS Groups / Containers) of the following logical constructs:

  • Logical port

  • Logical switch

  • NSGroup

Services

Represents the destination port and protocol (such as HTTP). It also supports port ranges and port sets. Sets of ports are limited to 15 per rule. The service port/protocol can be negated.

Action

Specifies the action for this rule. One of the following values:

  • Encrypt and check integrity

  • Check integrity only

  • Allow in clear

Key Policy

Key policy to use for this rule.

Applied To

Specifies the policy enforcement point. One or more of the following options:

  • Logical port

  • Logical switch

  • NSGroup (container) of logical switch ports

Log

Enable this setting to turn on the logging feature in the hypervisor for this encryption rule in this section. Logging for an encryption rule is disabled by default.

Stats

Run-time processing statistics (such as rule ID, packets in/out, bytes in/out) as well as a timestamp for when the statistics were last updated. These values represent aggregated statistics across all hosts. Statistics are accumulated starting from when the encryption rule was created and are tabulated in five-minute intervals (by default), although you must manually refresh the display.

Notes

Notes associated with this rule.

By default, the columns ID, Log, and Notes are not displayed. You can click Columns in the lower left corner to select the columns to display.

Considerations for defining encryption rules:

  • DNE is not supported on Edge nodes, which will drop DNE-encrypted traffic. Therefore, do not create rules for traffic that passes through Edge nodes.

  • VMs on ESXi cannot send encrypted traffic to VMs on KVM.

  • There is a risk with using ANY in Source or Destination. Depending on the topology, doing so might accidentally include traffic that would cross Edge nodes.

  • Important: If an encryption rule is applied on a hypervisor, its VTEP interface MTU size must be at least 1700 (2000 or higher is recommended).