Login
- Table of Contents
-
- 03-Security Command Reference
- 00-Preface
- 01-ARP attack protection commands
- 02-ASPF commands
- 03-IP-MAC binding commands
- 04-Keychain commands
- 05-ND attack defense commands
- 06-Password control commands
- 07-uRPF commands
- 08-Location identification commands
- 09-Security zone commands
- 10-User identification commands
- 11-MAC learning through a Layer 3 device commands
- 12-Security policy commands
- 13-Microsegmentation commands
- 14-IP-SGT mapping commands
- 15-SMS commands
- 16-Trusted access control commands
- 17-Application account auditing commands
- 18-Terminal identification commands
- 19-IPoE commands
- 20-SSL commands
- 21-Flow manager commands
- 22-Object group commands
- 23-IP source guard commands
- 24-Server connection detection commands
- 25-Session management commands
- 26-DDoS protection commands
- 27-PKI commands
- 28-Crypto engine commands
- 29-AAA commands
- 30-Portal commands
- 31-IPsec commands
- 32-Public key management commands
- 33-Attack detection and prevention commands
- 34-Connection limit commands
- 35-SSH commands
- 36-SDP zero trust commands
- 37-APR commands
- 38-Overbilling prevention commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-IP-SGT mapping commands | 79.27 KB |
IP-SGT mapping commands
display ipsgt map
Use display ipsgt map to display IP-SGT mapping entries deployed by the EIA server.
Syntax
display ipsgt map [ critical ] [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ microsegment microsegment-id ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Parameters
critical: Displays fail-permit IP-SGT mapping entries.
ip [ ipv4-address ]: Specifies an IPv4 address. If you do not specify this option, this command displays all IPv4 IP-SGT mapping entries.
ipv6 [ ipv6-address ]: Specifies an IPv6 address. If you do not specify this option, this command displays all IPv6 IP-SGT mapping entries.
microsegment microsegment-id: Specifies a microsegment ID in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays IP-SGT mapping entries in the public network.
Usage guidelines
If you do not specify any keyword or parameter, this command displays all IP-SGT mapping entries.
Examples
# Display all IP-SGT entries.
<Sysname> display ipsgt map
Total IPv4 IP-SGT entries: 1
Microsegment ID: 1
IPv4 address VPN-instance
1.1.1.1 N/A
Total IPv6 IP-SGT entries: 1
Microsegment ID: 2
IPv6 address VPN-instance
11::5 N/A
# Display all fail permit IP-SGT mapping entries.
<Sysname> display ipsgt map critical
Total IPv4 critical IP-SGT entries: 1
Microsegment ID: 1
IPv4 address VPN instance
1.1.1.1 N/A
Total IPv6 critical IP-SGT entries: 1
Microsegment ID: 2
IPv6 address VPN instance
11::5 N/A
Table 1 Command output
|
Filed |
Description |
|
Total IPv4 IP-SGT entries |
Total number of IPv4 IP-SGT mapping entries. |
|
Total IPv6 IP-SGT entries |
Total number of IPv6 IP-SGT mapping entries. |
|
Total IPv4 critical IP-SGT entries |
Total number of IPv4 fail-permit IP-SGT mapping entries. |
|
Total IPv6 critical IP-SGT entries |
Total number of IPv6 fail-permit IP-SGT mapping entries. |
|
VPN-instance |
VPN instance name. This field displays N/A if the entry does not belong to any VPN. |
Related commands
ipsgt enable
ipsgt on-demand
display ipsgt state
Use display ipsgt state to display the operating status of IP-SGT mapping.
Syntax
display ipsgt state
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display the operating status of IP-SGT mapping.
<Sysname> display ipsgt state
Global IP-SGT parameters:
IP-SGT: Enabled
Connection status with:
EIA server: Connected
IPv4 routing management: Connected
IPv6 routing management: Connected
IP-SGT URL:
http://1.1.1.1/ipsgtmgr/vim active
http://2.1.1.1/ipsgtmgr/vim inactive
Table 2 Command output
|
Field |
Description |
|
IP-SGT |
Enabling status: · Enabled. · Disabled. |
|
Connection status with |
Connection status. |
|
EIA server |
Connection status with the EIA cloud server: · Connected. · Disconnected. |
|
IPv4 routing management |
Connection status with the IPv4 routing management module: · Connected. · Disconnected. |
|
IPv6 routing management |
Connection status with the IPv6 routing management module: · Connected. · Disconnected. |
|
IP-SGT URL |
URL deployed by the EIA server for establishing an IP-SGT tunnel. Tunnel states include: · active. · inactive. The two tunnels displayed in the information indicate the establishment of active and standby IP-SGT tunnels. The active and standby tunnels are not established simultaneously. The standby tunnel is used when the active tunnel fails and returns to backup state when the active tunnel becomes normal. |
Related commands
ipsgt enable
display ipsgt statistics
Use display ipsgt statistics to display IP-SGT mapping packet statistics.
Syntax
display ipsgt statistics
Views
Any view
Predefined user roles
network-admin
network-operator
context-admin
context-operator
Examples
# Display IP-SGT mapping packet statistics.
<Sysname> display ipsgt statistics
Messages received :
Add mapping: 1
Delete mapping: 1
Batch backup start: 0
Batch backup end: 0
Invalid: 0
Messages sent :
Add mapping: 1
Delete mapping: 1
Update mapping: 0
Add On-demand network: 1
Delete on-demand Network: 1
Batch backup start: 1
Batch backup mapping: 1
Batch backup end: 1
Table 3 Command output
|
Field |
Description |
|
|
Messages received |
Numbers of packets received from the EIA server. Available packet types include: · Add mapping—Add IP-SGT entry. · Delete mapping—Delete IP-SGT entry. · Batch backup start—Start backing up IP-SGT entries in batch. · Batch backup end—End backing up IP-SGT entries in batch. · Invalid—Discover invalid entries. |
|
|
Messages sent |
Numbers of packets sent to the routing management module. Available packet types include: · Add mapping—Add IP-SGT entries. · Delete mapping—Delete IP-SGT entries. · Update mapping—Update IP-SGT entries. · Add On-demand network—Add on-demand mapping subnets. · Delete on-demand network—Delete on-demand mapping subnets. · Batch backup start—Start backing up IP-SGT entries in batch. · Batch back up mapping—Back up IP-SGT entries in batch. · Batch backup end—Finish backing up IP-SGT entries in batch. |
|
Related commands
reset ipsgt statistics
ipsgt enable
Use ipsgt enable to enable IP-SGT mapping.
Use undo ipsgt enable to disable IP-SGT mapping.
Syntax
ipsgt enable
undo ipsgt enable
Default
IP-SGT mapping is disabled.
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
By default, only the authenticator can receive access policies deployed by the server and control user access based on the policies.
This feature enables a device to act as an executor to receive the IP address-microsegment ID mapping entries sent by the EIA server. During traffic packet forwarding, the executor identifies the source or destination IP address of the packet, obtains the microsegment ID, and then processes the packet based on the group policy specified by the microsegment ID. For more information about the microsegmentation and group policies, see Security Configuration Guide.
Examples
# Enable the IP-SGT mapping.
<Sysname> system-view
[Sysname] ipsgt enable
Related commands
display ipsgt
reset ipsgt statistics
Use reset ipsgt statistics to clear IP-SGT mapping packet statistics.
Syntax
reset ipsgt statistics
Views
User view
Predefined user roles
network-admin
context-admin
Examples
# Clear IP-SGT mapping packet statistics.
<Sysname> reset ipsgt statistics
Related commands
display ipsgt statistics
snmp-agent trap enable ipsgt
Use snmp-agent trap enable ipsgt to enable SNMP notifications for IP-SGT mapping.
Use undo snmp-agent trap enable ipsgt to restore the default.
Syntax
snmp-agent trap enable ipsgt
undo snmp-agent trap enable ipsgt
Default
SNMP notifications are disabled for IP-SGT mapping.
Views
System view
Predefined user roles
network-admin
context-admin
Guidelines
To report critical IP-SGT events (such as connection or disconnection between the executor and the EIA server) to an NMS, enable SNMP notifications for IP-SGT mapping. For IP-SGT event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Examples
# Enable SNMP notifications for IP-SGT mapping.
<Sysname> system-view
[Sysname] snmp-agent trap enable ipsgt