Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-SSH commands
- 14-SSL commands
- 15-Attack detection and prevention commands
- 16-TCP attack prevention commands
- 17-IP source guard commands
- 18-ARP attack protection commands
- 19-ND attack defense commands
- 20-uRPF commands
- 21-MFF commands
- 22-Crypto engine commands
- 23-FIPS commands
- 24-MACsec commands
- 25-Microsegmentation commands
- 26-Object group commands
- 27-SAVI commands
- 28-SAVA commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 25-Microsegmentation commands | 61.61 KB |
Microsegmentation commands
This feature is supported only in Release 6616 and later.
display microsegment
Use display microsegment to display the configuration and status of microsegments.
Syntax
display microsegment [ microsegment-id | name microsegment-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
name microsegment-name: Specifies a microsegment by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify any parameters, this command displays summary information and status information about all microsegments.
Examples
# Display the configuration of microsegment 1.
<Sysname> display microsegment 1
Microsegment ID : 1
Microsegment name : micseg1
IPv4 member:
192.168.56.0/24
IPv6 member:
10:10::/64
# Display summary information and status information about all microsegments.
<Sysname> display microsegment
Microsegment status : Enabled
Subnet matching method: Longest
Total microsegments : 2
Microsegment list :
Microsegment ID Members Microsegment name
12345 3 abc
32789 5 xyz
extcommunity-type microsegment-id
Use extcommunity-type microsegment-id to set the microsegment extended community attribute.
Use undo extcommunity-type microsegment-id to restore the default.
|
|
NOTE: This command is supported only in Release 6635 and later. |
Syntax
extcommunity-type microsegment-id microsegment-type-value
undo extcommunity-type microsegment-id
Default
The microsegment extended community value is 83ff (hexadecimal).
Views
BGP instance view
Predefined user roles
network-admin
Parameters
microsegment-type-value: Specifies the microsegment extended community value in the range of 0 to ffff (hexadecimal).
Usage guidelines
BGP carries microsegment IDs in an extended community attribute and advertises microsegment settings to a peer through the extended community attribute.
To avoid attribute conflicts, you can execute this command to modify the microsegment extended community attribute value.
Examples
# In BGP instance view, set the microsegment extended community value to 0x5688.
<Sysname> system-view
[Sysname] bgp 200
[Sysname-bgp-default] extcommunity-type microsegment-id 5688
member
Use member to add a member to a microsegment.
Use undo member to remove a member from a microsegment.
Syntax
member { ipv4 ipv4-address { mask | mask-length } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
undo member { ipv4 ipv4-address { mask | mask-length } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
Default
A microsegment does not contain members.
Views
Microsegment view
Predefined user roles
network-admin
Parameters
ipv4 ipv4-address { mask | mask-length }: Specifies a range of IPv4 addresses. The mask argument specifies a subnet mask. The mask-length argument specifies a subnet mask length in the range of 0 to 32. The endpoints that use the IPv4 addresses are added to the microsegment.
ipv6 ipv6-address prefix-length: Specifies a range of IPv4 addresses. The prefix-length argument specifies a prefix length in the range of 0 to 128. The endpoints that use the IPv6 addresses are added to the microsegment.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command adds IP addresses in the public network to the microsegment.
Usage guidelines
A member can belong to multiple microsegments.
You can execute this command multiple times to add multiple IP address ranges to a microsegment.
Examples
# Add IPv4 address 192.168.56.3 to microsegment 1 as a member.
<Sysname> system-view
[Sysname] microsegment 1
[Sysname-microsegment-1] member ip 192.168.56.3 32
Related commands
display microsegment
microsegment
Use microsegment to create a microsegment and enter its view, or enter the view of an existing microsegment.
Use undo microsegment to delete a microsegment.
Syntax
microsegment microsegment-id [ name microsegment-name ]
undo microsegment microsegment-id
Default
No microsegments exist.
Views
System view
Predefined user roles
network-admin
Parameters
microsegment-id: Specifies a microsegment ID in the range of 1 to 65535.
name microsegment-name: Specifies a microsegment name, a case-insensitive string of 1 to 32 characters. The microsegment name must be globally unique. If you do not specify a microsegment name, this command creates the microsegment without a name.
Usage guidelines
To modify the name of an existing microsegment, you must delete the microsegment and then re-create it with a new name.
Examples
# Create microsegment 1 with name micseg1 and enter its view.
<Sysname> system-view
[Sysname] microsegment 1 name micseg1
[Sysname-microsegment-1]
Related commands
member
microsegment enable
Use microsegment enable to enable microsegmentation.
Use undo microsegment enable to disable microsegmentation.
Syntax
microsegment enable
undo microsegment enable
Default
Microsegmentation is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In Release 6635 and later, uRPF is automatically enabled when microsegmentation is enabled, and then you cannot configure uRPF at the CLI. After microsegmentation is enabled, the route table capacity is halved. In Release 6616 and Release 6616P01, to use a QoS policy, routing policy, or packet filter to match packets by microsegment, you must first enable uRPF. After uRPF is enabled, the route table capacity is halved.
After you enable microsegmentation, member IP addresses and microsegment IDs are sent to the FIB. When you disable microsegmentation, the information is deleted from the FIB. The device forwards or drops an incoming packet according to the microsegment IDs of its source and destination IP addresses and the ACL and GBP configurations.
Examples
# Enable microsegmentation.
<Sysname> system-view
[Sysname] microsegment enable
Related commands
display microsegment
member
microsegment
microsegment subnet-match
Use microsegment subnet-match to configure network address match method for microsegments.
Use undo microsegment subnet-match to restore the default.
|
|
NOTE: This command is supported only in Release 6635 and later. |
Syntax
microsegment subnet-match longest
undo microsegment subnet-match
Default
Exact match is used for network addresses.
Views
System view
Predefined user roles
network-admin
Parameters
longest: Specifies longest match.
Usage guidelines
The device determines the segment membership of packets by matching the source and destination IP addresses of packets. The following match methods are available:
· Exact match—The mask lengths of the source and destination IP addresses must be equal to those of members in microsegments. For example, a packet sourced from 10.10.10.1/24 matches member 10.10.10.0/24 instead of 10.10.10.0/23.
· Longest match—The mask lengths of the source and destination IP addresses can be greater than or equal to those of members in microsegments. For example, a packet sourced from 10.10.10.1/24 matches member 10.10.10.0/16.
The device uses different match methods for different member types of microsegments:
· Host addresses (IPv4 addresses with a 32-bit mask and IPv6 addresses with a 128-bit prefix) use the longest match method, which cannot be modified.
· The default route (0.0.0.0/0 or 0::0/0) uses the exact match method, which cannot be modified.
· Network addresses (IPv4 addresses with a 1-bit to 31-bit mask and IPv6 addresses with a 1-bit to 127-bit prefix) use the exact match method by default. You can configure the longest match method for this member type.
The longest match method helps you simplify configuration when you need to add a large number of network addresses to a microsegment. For example, to match network addresses 10.10.10.0/24, 10.10.20.0/24, and 10.10.30.0/24 to microsegment 1, you need to execute only the member ipv4 10.10.10.0/16 command if you use longest match.
Examples
# Configure the network address match method as longest match.
<Sysname> system-view
[Sysname] microsegment subnet-match longest
Related commands
display microsegment
member
