Login
- Table of Contents
-
- 09-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Web authentication commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-SSH commands
- 14-SSL commands
- 15-Attack detection and prevention commands
- 16-TCP attack prevention commands
- 17-IP source guard commands
- 18-ARP attack protection commands
- 19-ND attack defense commands
- 20-uRPF commands
- 21-SAVI commands
- 22-SAVA commands
- 23-MFF commands
- 24-Crypto engine commands
- 25-FIPS commands
- 26-MACsec commands
- 27-802.1X client commands
- 28-Microsegmentation commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 28-Microsegmentation commands | 56.39 KB |
Microsegmentation commands
display microsegment
Use display microsegment to display the configuration and status of microsegments.
Syntax
display microsegment [ microsegment-id | name microsegment-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.
name microsegment-name: Specifies a microsegment by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify any parameters, this command displays summary information and status information about all microsegments.
Examples
# Display the configuration of microsegment 1.
<Sysname> display microsegment 1
Microsegment ID : 1
Microsegment name : micseg1
IPv4 member:
192.168.56.0/24
IPv6 member:
10:10::/64
# Display summary information and status information about all microsegments.
<Sysname> display microsegment
Microsegment status: Enabled
Total microsegments: 2
Microsegment list :
Microsegment ID Members Microsegment name
12345 3 abc
32789 5 xyz
display microsegment aggregation
Use display microsegment aggregation to display aggregate microsegment configuration.
Syntax
display microsegment aggregation [ aggregation-id | name aggregation-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
aggregation-id: Specifies an aggregate microsegment by its ID in the range of 1 to 65535.
name aggregation-name: Specifies an aggregate microsegment by its name, a case-insensitive string of 1 to 32 characters.
Usage guidelines
If you do not specify any parameters, this command displays the configuration of all aggregate microsegments. If you specify an aggregate microsegment, this command displays the configuration of the specified microsegment.
Examples
# Display the configuration of aggregate microsegment 16.
<Sysname> display microsegment aggregation 16
Aggregation ID Range Aggregation name
16 16-19 agg16
# Display the configuration of aggregate microsegments.
<Sysname> display microsegment aggregation
Aggregation ID Range Aggregation name
16 16-19 agg16
32 32-35
Table 1 Command output
|
Field |
Description |
|
Aggregation ID |
Aggregate microsegment ID. |
|
Range |
Member microsegment ID range. |
|
Aggregation name |
Aggregate microsegment name. |
Related commands
microsegment aggregation
member
Use member to add a member to a microsegment.
Use undo member to remove a member from a microsegment.
Syntax
member { ipv4 ipv4-address { mask | mask-length } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
undo member { ipv4 ipv4-address { mask | mask-length } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
Default
A microsegment does not contain members.
Views
Microsegment view
Predefined user roles
network-admin
Parameters
ipv4 ipv4-address { mask | mask-length }: Specifies a range of IPv4 addresses. The mask argument specifies a subnet mask. The mask-length argument specifies a subnet mask length in the range of 0 to 32. The endpoints that use the IPv4 addresses are added to the microsegment.
ipv6 ipv6-address prefix-length: Specifies a range of IPv6 addresses. The prefix-length argument specifies a prefix length in the range of 0 to 128. The endpoints that use the IPv6 addresses are added to the microsegment.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command adds IP addresses in the public network to the microsegment.
Usage guidelines
A member can belong to multiple microsegments.
You can execute this command multiple times to add multiple IP addresses or IP address ranges to a microsegment.
Examples
# Add IPv4 address 192.168.56.3 to microsegment 1 as a member.
<Sysname> system-view
[Sysname] microsegment 1
[Sysname-microsegment-1] member ip 192.168.56.3 32
Related commands
display microsegment
microsegment
microsegment
Use microsegment to create a microsegment and enter its view, or enter the view of an existing microsegment.
Use undo microsegment to delete a microsegment.
Syntax
microsegment microsegment-id [ name microsegment-name ]
undo microsegment microsegment-id
Default
No microsegments exist.
Views
System view
Predefined user roles
network-admin
Parameters
microsegment-id: Specifies a microsegment ID in the range of 1 to 65535.
name microsegment-name: Specifies a microsegment name, a case-insensitive string of 1 to 32 characters. The microsegment name must be globally unique. If you do not specify a microsegment name, this command creates the microsegment without a name.
Usage guidelines
To modify the name of an existing microsegment, you must delete the microsegment and then re-create it with a new name.
Examples
# Create microsegment 1 with name micseg1 and enter its view.
<Sysname> system-view
[Sysname] microsegment 1 name micseg1
[Sysname-microsegment-1]
Related commands
member
microsegment aggregation
Use microsegment aggregation to create an aggregate microsegment and enter its view, or enter the view of an existing microsegment.
Use undo microsegment aggregation to delete an aggregate microsegment.
Syntax
microsegment aggregation aggregation-id mask-length mask-length [ name aggregation-name ]
undo microsegment aggregation aggregation-id
Default
No aggregate microsegments exist.
Views
System view
Predefined user roles
network-admin
Parameters
aggregation-id: Specifies an aggregate microsegment ID in the range of 1 to 65535. The ID must be an even number.
mask-length mask-length: Specifies a mask length for the aggregate microsegment ID in the range of 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID.
name aggregation-name: Specifies a microsegment name, a case-insensitive string of 1 to 32 characters. The microsegment name must be globally unique. If you do not specify a microsegment name, this command creates the aggregate microsegment without a name.
Usage guidelines
An aggregate microsegment is a group of microsegments with contiguous IDs. The ID of the aggregate microsegment is the start microsegment ID. You can uses a mask to specify the microsegments for an aggregate microsegment. The GBP used by an aggregate microsegment has higher priority than that used by a member microsegment. Suppose microsegments 12 and 14 can communicate with each other and microsegments 13 and 14 can also communicate with each other. Combine microsegments 12 and 13 into aggregate microsegment 12 and use a GBP to prevent aggregate microsegment 12 from communicating with microsegment 14. The result is that microsegments 12 and 13 cannot communicate with microsegment 14.
The number of member microsegments of an aggregate microsegment is determined by the mask-length argument. For example, if the mask-length argument is 3, the number of member microsegments is 2^3=8. If you want to aggregate microsegments 6 and 7, the aggregation-id argument must be 6 and the mask-length argument must be 1 (6 corresponds to decimal 110, and the number of contiguous 0s is 1).
To modify the name of an existing aggregate microsegment, you must delete the microsegment and then re-create it with a new name.
Examples
# Create aggregate microsegment 16 with name agg16 with mask length 3.
<Sysname> system-view
[Sysname] microsegment aggregation 16 mask-length 3 name agg16
microsegment enable
Use microsegment enable to enable microsegmentation.
Use undo microsegment enable to disable microsegmentation.
Syntax
microsegment enable
undo microsegment enable
Default
Microsegmentation is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After you enable microsegmentation, member IP addresses and microsegment IDs are sent to the FIB. When you disable microsegmentation, the information is deleted from the FIB. The device forwards or drops an incoming packet according to the microsegment IDs of its source and destination IP addresses and the ACL and GBP configurations.
In an EVPN network, the synchronized microsegment settings directly take effect on the remote end and are not subject to this command.
Examples
# Enable microsegmentation.
<Sysname> system-view
[Sysname] microsegment enable
Related commands
display microsegment
member
microsegment
