Contents

Microsegmentation commands· 1

display microsegment 1

display microsegment aggregation· 2

extcommunity-type microsegment-id· 2

member 3

microsegment 4

microsegment aggregation· 5

microsegment enable· 6

microsegment subnet-match· 7

 

Microsegmentation commands

display microsegment

Use display microsegment to display the configuration and status of microsegments.

Syntax

display microsegment [ microsegment-id | name microsegment-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.

name microsegment-name: Specifies a microsegment by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify any parameters, this command displays summary information and status information about all microsegments.

Examples

# Display the configuration of microsegment 1.

<Sysname> display microsegment 1

Microsegment ID    : 1

Microsegment name  : micseg1

  IPv4 member:

    192.168.56.0/24

  IPv6 member:

    10:10::/64

# Display summary information and status information about all microsegments.

<Sysname> display microsegment

Microsegment status   : Enabled

Subnet matching method: Longest

Total microsegments   : 2

Microsegment list     :

  Microsegment ID  Members  Microsegment name

  12345            3        abc

  32789            5        xyz

Table 1 Command output

Field	Description
Subnet matching method	Subnet matching method.

‌

display microsegment aggregation

Use display microsegment aggregation to display aggregate microsegment configuration.

Syntax

display microsegment aggregation [ aggregation-id | name aggregation-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

aggregation-id: Specifies an aggregate microsegment by its ID in the range of 1 to 65535.

name aggregation-name: Specifies an aggregate microsegment by its name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

If you do not specify any parameters, this command displays the configuration of all aggregate microsegments. If you specify an aggregate microsegment, this command displays the configuration of the specified microsegment.

Examples

# Display the configuration of aggregate microsegment 16.

<Sysname> display microsegment aggregation 16

Aggregation ID     Range        Aggregation name

16                 16-19        agg16

# Display the configuration of aggregate microsegments.

<Sysname> display microsegment aggregation

Aggregation ID     Range        Aggregation name

16                 16-19        agg16

32                 32-35

Table 2 Command output

Field	Description
Aggregation ID	Aggregate microsegment ID.
Range	Member microsegment ID range.
Aggregation name	Aggregate microsegment name.

‌

Related commands

microsegment aggregation

extcommunity-type microsegment-id

Use extcommunity-type microsegment-id to set the microsegment extended community attribute.

Use undo extcommunity-type microsegment-id to restore the default.

Syntax

extcommunity-type microsegment-id microsegment-type-value

undo extcommunity-type microsegment-id

Default

The microsegment extended community value is 83ff (hexadecimal).

Views

BGP instance view

Predefined user roles

network-admin

Parameters

microsegment-type-value: Specifies the microsegment extended community value in the range of 0 to ffff (hexadecimal).

Usage guidelines

BGP carries microsegment IDs in an extended community attribute and advertises microsegment settings to a peer through the extended community attribute.

To avoid attribute conflicts, you can execute this command to modify the microsegment extended community attribute value.

Examples

# In BGP instance view, set the microsegment extended community value to 0x5688.

<Sysname> system-view

[Sysname] bgp 200

[Sysname-bgp-default] extcommunity-type microsegment-id 5688

member

Use member to add a member to a microsegment.

Use undo member to remove a member from a microsegment.

Syntax

member { ipv4 ipv4-address { mask | mask-length } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]

undo member { ipv4 ipv4-address { mask | mask-length } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]

Default

A microsegment does not contain members.

Views

Microsegment view

Predefined user roles

network-admin

Parameters

ipv4 ipv4-address { mask | mask-length }: Specifies a range of IPv4 addresses. The mask argument specifies a subnet mask. The mask-length argument specifies a subnet mask length in the range of 0 to 32. The endpoints that use the IPv4 addresses are added to the microsegment.

ipv6 ipv6-address prefix-length: Specifies a range of IPv6 addresses. The prefix-length argument specifies a prefix length in the range of 0 to 128. The endpoints that use the IPv6 addresses are added to the microsegment.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command adds IP addresses in the public network to the microsegment.

 

Usage guidelines

A member can belong to multiple microsegments.

You can execute this command multiple times to add multiple IP addresses or IP address ranges to a microsegment.

Examples

# Add IPv4 address 192.168.56.3 to microsegment 1 as a member.

<Sysname> system-view

[Sysname] microsegment 1

[Sysname-microsegment-1]  member ip 192.168.56.3 32

Related commands

display microsegment

microsegment

microsegment

Use microsegment to create a microsegment and enter its view, or enter the view of an existing microsegment.

Use undo microsegment to delete a microsegment.

Syntax

microsegment microsegment-id [ name microsegment-name ]

undo microsegment microsegment-id

Default

No microsegments exist.

Views

System view

Predefined user roles

network-admin

Parameters

microsegment-id: Specifies a microsegment ID in the range of 1 to 65535.

name microsegment-name: Specifies a microsegment name, a case-insensitive string of 1 to 32 characters. The microsegment name must be globally unique. If you do not specify a microsegment name, this command creates the microsegment without a name.

 

Usage guidelines

To modify the name of an existing microsegment, you must delete the microsegment and then re-create it with a new name.

If the amount of the free memory space reaches an alarm threshold, the system does not support creating a segment or entering the view of an existing segment. However, existing microsegments can be used.

Examples

# Create microsegment 1 with name micseg1 and enter its view.

<Sysname> system-view

[Sysname] microsegment 1 name micseg1

[Sysname-microsegment-1]

Related commands

member

microsegment aggregation

Use microsegment aggregation to create an aggregate microsegment and enter its view, or enter the view of an existing microsegment.

Use undo microsegment aggregation to delete an aggregate microsegment.

Syntax

microsegment aggregation aggregation-id mask-length mask-length [ name aggregation-name ]

undo microsegment aggregation aggregation-id

Default

No aggregate microsegments exist.

Views

System view

Predefined user roles

network-admin

Parameters

aggregation-id: Specifies an aggregate microsegment ID in the range of 1 to 65535. The ID must be an even number.

mask-length mask-length: Specifies a mask length for the aggregate microsegment ID in the range of 1 to the number of contiguous 0s of the decimal number converted from the aggregate microsegment ID. The maximum mask length is 9.

name aggregation-name: Specifies a microsegment name, a case-insensitive string of 1 to 32 characters. The microsegment name must be globally unique. If you do not specify a microsegment name, this command creates the aggregate microsegment without a name.

 

Usage guidelines

An aggregate microsegment is a group of microsegments with contiguous IDs. The ID of the aggregate microsegment is the start microsegment ID. You can uses a mask to specify the microsegments for an aggregate microsegment. The GBP used by an aggregate microsegment has higher priority than that used by a member microsegment. Suppose microsegments 12 and 14 can communicate with each other and microsegments 13 and 14 can also communicate with each other. Combine microsegments 12 and 13 into aggregate microsegment 12 and use a GBP to prevent aggregate microsegment 12 from communicating with microsegment 14. The result is that microsegments 12 and 13 cannot communicate with microsegment 14.

The number of member microsegments of an aggregate microsegment is determined by the mask-length argument. For example, if the mask-length argument is 3, the number of member microsegments is 2^3=8. If you want to aggregate microsegments 6 and 7, the aggregation-id argument must be 6 and the mask-length argument must be 1 (6 corresponds to decimal 110, and the number of contiguous 0s is 1).

To modify the name of an existing aggregate microsegment, you must delete the microsegment and then re-create it with a new name.

Examples

# Create aggregate microsegment 16 with name agg16 with mask length 3.

<Sysname> system-view

[Sysname] microsegment aggregation 16 mask-length 3 name agg16

microsegment enable

Use microsegment enable to enable microsegmentation.

Use undo microsegment enable to disable microsegmentation.

Syntax

microsegment enable

undo microsegment enable

Default

Microsegmentation is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you enable microsegmentation, member IP addresses and microsegment IDs are sent to the FIB. When you disable microsegmentation, the information is deleted from the FIB. The device forwards or drops an incoming packet according to the microsegment IDs of its source and destination IP addresses and the ACL and GBP configurations.

In an EVPN network, the synchronized microsegment settings directly take effect on the remote end and are not subject to this command.

 

Examples

# Enable microsegmentation.

<Sysname> system-view

[Sysname] microsegment enable

Related commands

display microsegment

member

microsegment

microsegment subnet-match

Use microsegment subnet-match to configure network address match method for microsegments.

Use undo microsegment subnet-match to restore the default.

Syntax

microsegment subnet-match longest

undo microsegment subnet-match

Default

Exact match is used for network addresses.

Views

System view

Predefined user roles

network-admin

Parameters

longest: Specifies longest match.

Usage guidelines

The device determines the segment membership of packets by matching the source and destination IP addresses of packets. The following match methods are available:

·     Exact match—The mask lengths of the source and destination IP addresses must be equal to those of members in microsegments. For example, a packet sourced from 10.10.10.1/24 matches member 10.10.10.0/24 instead of 10.10.10.0/23.

·     Longest match—The mask lengths of the source and destination IP addresses can be greater than or equal to those of members in microsegments. For example, a packet sourced from 10.10.10.1/24 matches member 10.10.10.0/16.

The device uses different match methods for different member types of microsegments:

·     Host addresses (IPv4 addresses with a 32-bit mask and IPv6 addresses with a 128-bit prefix) use the longest match method, which cannot be modified.

·     The default route (0.0.0.0/0 or 0::0/0) uses the exact match method, which cannot be modified.

·     Network addresses (IPv4 addresses with a 1-bit to 31-bit mask and IPv6 addresses with a 1-bit to 127-bit prefix) use the exact match method by default. You can configure the longest match method for this member type.

The longest match method helps you simplify configuration when you need to add a large number of network addresses to a microsegment. For example, to match network addresses 10.10.10.0/24, 10.10.20.0/24, and 10.10.30.0/24 to microsegment 1, you need to execute only the member ipv4 10.10.10.0/16 command if you use longest match.

Examples

# Configure the network address match method as longest match.

<Sysname> system-view

[Sysname] microsegment subnet-match longest

Related commands

display microsegment

member