Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Keychain commands
- 08-Public key management commands
- 09-PKI commands
- 10-IPsec commands
- 11-SSH commands
- 12-SSL commands
- 13-Attack detection and prevention commands
- 14-TCP attack prevention commands
- 15-IP source guard commands
- 16-ARP attack protection commands
- 17-ND attack defense commands
- 18-uRPF commands
- 19-MFF commands
- 20-FIPS commands
- 21-MACsec commands
- 22-802.1X client commands
- 23-Web authentication commands
- 24-Object group commands
- 25-Microsegmentation commands
- 26-User profile commands
- 27-SAVI commands
- 28-SAVA commands
- 29-IP-SGT mapping commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 29-IP-SGT mapping commands | 72.87 KB |
Contents
IP-SGT mapping commands
display ipsgt map
Use display ipsgt map to display IP-SGT mapping entries deployed by the EIA server.
Syntax
display ipsgt map [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ microsegment microsegment-id ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ip [ ipv4-address ]: Specifies an IPv4 address. If you do not specify this option, this command displays all IPv4 IP-SGT mapping entries.
ipv6 [ ipv6-address ]: Specifies an IPv6 address. If you do not specify this option, this command displays all IPv6 IP-SGT mapping entries.
microsegment microsegment-id: Specifies a microsegment ID in the range of 1 to 65535.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays IP-SGT mapping entries in the public network.
Usage guidelines
If you do not specify any keyword or parameter, this command displays all IP-SGT mapping entries.
Examples
# Display all IP-SGT entries.
<Sysname> display ipsgt map
Total IPv4 IP-SGT entries: 1
Microsegment ID: 1
IPv4 address Vpn-instance
1.1.1.1 N/A
Total IPv6 IP-SGT entries: 1
Microsegment ID: 2
IPv6 address Vpn-instance
11::5 N/A
Table 1 Command output
|
Filed |
Description |
|
Total IPv4 IP-SGT entries |
Total number of IPv4 IP-SGT entries. |
|
Total IPv6 IP-SGT entries |
Total number of IPv6 IP-SGT entries. |
|
Vpn-instance |
VPN instance name. This field displays N/A if the entry does not belong to any VPN. |
Related commands
ipsgt enable
ipsgt on-demand
display ipsgt on-demand
Use display ipsgt on-demand to display the subnets for on-demand IP-SGT mapping.
Syntax
display ipsgt on-demand [ ip [ ipv4-address { mask-length | mask } ] | ipv6 [ ipv6-address prefix-length ] ] [ vpn-instance vpn-instance-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
ip [ ipv4-address { mask-length | mask }: Specifies an IPv4 subnet. If you do not specify the ipv4-address argument, this command displays all IPv4 on-demand mapping subnets. The ipv4-address argument represents the IPv4 address, the mask-length argument represents the mask length in the range of 0 to 31, and the mask argument represents the mask in dotted decimal notation. The mask cannot be 255.255.255.255.
ip [ ipv6-address prefix-length ]: Specifies an IPv6 subnet. If you do not specify the ipv6-address argument, this command displays all IPv6 on-demand mapping subnets. The ipv6-address argument represents the IPv6 address and the prefix-length argument represents the prefix length in the range of 0 to 127.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays on-demand mapping entries in the public network.
Usage guidelines
If you do not specify any parameters, this command displays all IPv4 and IPv6 on-demand mapping subnets.
Examples
# Display all the IPv4 and IPv6 subnets for on-demand IP-SGT mapping.
<Sysname> display ipsgt on-demand
Total IPv4 on-demand networks: 1
IPv4 address Mask Vpn-instance
1.1.1.1 255.255.255.0 N/A
Total IPv6 on-demand networks: 1
IPv6 address Prefix length Vpn-instance
11::5 64 N/A
Table 2 Command output
|
Field |
Description |
|
Total IPv4 on-demand networks |
Total number of IPv4 on-demand mapping subnets. |
|
Total IPv6 on-demand networks |
Total number of IPv6 on-demand mapping subnets. |
|
Vpn-instance |
VPN instance name. This field displays N/A if the entry does not belong to any VPN. |
Related commands
ipsgt on-demand
display ipsgt state
Use display ipsgt state to display the operating status of IP-SGT mapping.
Syntax
display ipsgt state
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display the operating status of IP-SGT mapping.
<Sysname> display ipsgt state
Global IP-SGT parameters:
IP-SGT: Enabled
Connection status with:
EIA server: Connected
IPv4 routing management: Connected
IPv6 routing management: Connected
IP-SGT URL:
http://1.1.1.1/ipsgtmgr/vim active
http://2.1.1.1/ipsgtmgr/vim inactive
Table 3 Command output
|
Field |
Description |
|
IP-SGT |
Enabling status: · Enabled. · Disabled. |
|
Connection status with |
Connection status. |
|
EIA server |
Connection status with the EIA cloud server: · Connected. · Disconnected. |
|
IPv4 routing management |
Connection status with the IPv4 routing management module: · Connected. · Disconnected. |
|
IPv6 routing management |
Connection status with the IPv6 routing management module: · Connected. · Disconnected. |
|
IP-SGT URL |
URL that establishes an IP-SGT tunnel deployed by the EIA server. Tunnel states include: · active. · inactive. If the system displays two URLs, the URLs indicate IP-SGT active and backup tunnels. The active and backup tunnels are not established at the same time. The backup tunnel is established and used only when the active tunnel fails. |
Related commands
ipsgt enable
display ipsgt statistics
Use display ipsgt statistics to display IP-SGT mapping packet statistics.
Syntax
display ipsgt statistics
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display IP-SGT mapping packet statistics.
<Sysname> display ipsgt statistics
Messages received:
Add mapping: 1
Delete mapping: 1
Batch batch start: 0
Batch batch end: 0
Invalid: 0
Messages sent:
Add mapping: 1
Delete mapping: 1
Update mapping: 0
Add On-demand network: 1
Delete on-demand Network: 1
Batch backup start: 1
Batch backup mapping: 1
Batch backup end: 1
Table 4 Command output
|
Field |
Description |
|
|
Messages received |
Numbers of packets received from the EIA server. Available packet types include: · Add mapping—Add IP-SGT entry. · Delete mapping—Delete IP-SGT entry. · Batch batch start—Start backing up IP-SGT entries in batch. · Batch batch end—End backing up IP-SGT entries in batch. · Invalid—Discover invalid entries. |
|
|
Messages sent |
Numbers of packets sent to the routing management module. Available packet types include: · Add mapping—Add IP-SGT entries. · Delete mapping—Delete IP-SGT entries. · Update mapping—Update IP-SGT entries. · Add On-demand network—Add on-demand mapping subnets. · Delete on-demand network—Delete on-demand mapping subnets. · Batch backup start—Start backing up IP-SGT entries in batch. · Batch back up mapping—Back up IP-SGT entries in batch. · Batch backup end—Finish backing up IP-SGT entries in batch. |
|
Related commands
reset ipsgt statistics
ipsgt enable
Use ipsgt enable to enable IP-SGT mapping.
Use undo ipsgt enable to disable IP-SGT mapping.
Syntax
ipsgt enable
undo ipsgt enable
Default
IP-SGT mapping is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
By default, only the authenticator can receive access policies deployed by the server and control user access based on the policies.
This feature enables a device to act as an executor to receive the IP address-microsegment ID mapping entries sent by the EIA server. During traffic packet forwarding, the executor identifies the source or destination IP address of the packet, obtains the microsegment ID, and then processes the packet based on the group policy specified by the microsegment ID. For more information about the microsegmentation and group policies, see Security Configuration Guide.
Examples
# Enable the IP-SGT mapping.
<Sysname> system-view
[Sysname] ipsgt enable
Related commands
display ipsgt
ipsgt on-demand
Use ipsgt on-demand to specify a subnet for on-demand IP-SGT mapping.
Use undo ipsgt on-demand to delete a subnet for on-demand IP-SGT mapping.
Syntax
ipsgt on-demand { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]
undo ipsgt on-demand [ ip [ ipv4-address { mask-length | mask } ] | ipv6 [ ipv6-address prefix-length ] ] [ vpn-instance vpn-instance-name ]
Default
No subnet is specified for on-demand IP-SGT mapping.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
ip [ ipv4-address { mask-length | mask }: Specifies an IPv4 subnet. The ipv4-address argument represents the IPv4 address, the mask-length argument represents the mask length in the range of 0 to 31, and the mask argument represents the mask in dotted decimal notation. The mask cannot be 255.255.255.255.
ip [ ipv6-address prefix-length ]: Specifies an IPv6 subnet. The ipv6-address argument represents the IPv6 address and the prefix-length argument represents the prefix length in the range of 0 to 127.
vpn-instance vpn-instance-name: Specifies the VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays on-demand subnets in the public network.
Usage guidelines
By default, the device stores all the IP-SGT mapping entries deployed by the EIA server as hardware entries. This enables the device to fast obtain the microsegment ID and group policy for packet processing and improves the forwarding efficiency. However, if the device is on a link that has few packet exchanges, storing all mapping entries wastes hardware resources.
After enabling IP-SGT mapping, you can execute this command to specify subnets for on-demand IP-SGT mapping on the executor. The hardware stores the on-demand mapping entries only when the user IP address belongs to the specified subnets. In this way, the device can fast obtain the microsegment ID and group policy for packet processing and avoid resources waste.
You can configure a maximum of 1024 subnets for on-demand IP-SGT mapping, 512 entries for IPv4 and IPv6 each.
If you do not specify any keyword or parameter for the undo command, the command deletes all on-demand IPv4 and IPv6 subnets.
Examples
# Specify subnet 20.20.20.1/24 for on-demand IP-SGT mapping.
<Sysname> system-view
[Sysname] ipsgt on-demand ip 20.20.20.1 24
Related commands
display ipsgt on-demand
ipsgt enable
reset ipsgt statistics
Use reset ipsgt statistics to clear IP-SGT mapping packet statistics.
Syntax
reset ipsgt statistics
Views
User view
Predefined user roles
network-admin
mdc-admin
Examples
# Clear IP-SGT mapping packet statistics.
<Sysname> reset ipsgt statistics
Related commands
display ipsgt statistics
