Contents

IP-SGT mapping commands· 1

display ipsgt map· 1

display ipsgt on-demand· 2

display ipsgt state· 3

display ipsgt statistics· 4

ipsgt enable· 5

ipsgt on-demand· 6

reset ipsgt statistics· 7

snmp-agent trap enable ipsgt 8

IP-SGT mapping commands

display ipsgt map

Use display ipsgt map to display IP-SGT mapping entries deployed by the EIA server.

Syntax

display ipsgt map [ critical ] [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ microsegment microsegment-id ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

critical: Displays fail-permit IP-SGT mapping entries.

ip [ ipv4-address ]: Specifies an IPv4 address. If you do not specify this option, this command displays all IPv4 IP-SGT mapping entries.

ipv6 [ ipv6-address ]: Specifies an IPv6 address. If you do not specify this option, this command displays all IPv6 IP-SGT mapping entries.

microsegment microsegment-id: Specifies a microsegment ID in the range of 1 to 65535.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays IP-SGT mapping entries in the public network.

Usage guidelines

If you do not specify any keyword or parameter, this command displays all IP-SGT mapping entries.

Examples

# Display all IP-SGT entries.

<Sysname> display ipsgt map

Total IPv4 IP-SGT entries: 1

 Microsegment ID: 1

   IPv4 address             VPN-instance

   1.1.1.1                   N/A

 

Total IPv6 IP-SGT entries: 1

Microsegment ID: 2

   IPv6 address             VPN-instance

   11::5                     N/A

# Display all fail permit IP-SGT mapping entries.

<Sysname> display ipsgt map critical

Total IPv4 critical IP-SGT entries: 1

 Microsegment ID: 1

   IPv4 address             VPN instance

   1.1.1.1                  N/A

 

Total IPv6 critical IP-SGT entries: 1

 Microsegment ID: 2

   IPv6 address             VPN instance

   11::5                    N/A

Table 1 Command output

Filed	Description
Total IPv4 IP-SGT entries	Total number of IPv4 IP-SGT mapping entries.
Total IPv6 IP-SGT entries	Total number of IPv6 IP-SGT mapping entries.
Total IPv4 critical IP-SGT entries	Total number of IPv4 fail-permit IP-SGT mapping entries.
Total IPv6 critical IP-SGT entries	Total number of IPv6 fail-permit IP-SGT mapping entries.
VPN-instance	VPN instance name. This field displays N/A if the entry does not belong to any VPN.

 

Related commands

ipsgt enable

ipsgt on-demand

display ipsgt on-demand

Use display ipsgt on-demand to display the subnets for on-demand IP-SGT mapping.

Syntax

display ipsgt on-demand [ ip [ ipv4-address { mask-length | mask } ] | ipv6 [ ipv6-address prefix-length ] ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip [ ipv4-address { mask-length | mask }: Specifies an IPv4 subnet. If you do not specify the ipv4-address argument, this command displays all IPv4 on-demand mapping subnets. The ipv4-address argument represents the IPv4 address, the mask-length argument represents the mask length in the range of 0 to 31, and the mask argument represents the mask in dotted decimal notation. The mask cannot be 255.255.255.255.

ip [ ipv6-address prefix-length ]: Specifies an IPv6 subnet. If you do not specify the ipv6-address argument, this command displays all IPv6 on-demand mapping subnets. The ipv6-address argument represents the IPv6 address and the prefix-length argument represents the prefix length in the range of 0 to 127.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays on-demand mapping entries in the public network.

Usage guidelines

If you do not specify any parameters, this command displays all IPv4 and IPv6 on-demand mapping subnets.

Examples

# Display all the IPv4 and IPv6 subnets for on-demand IP-SGT mapping.

<Sysname> display ipsgt on-demand

Total IPv4 on-demand networks: 1

  IPv4 address              Mask                    VPN-instance

  1.1.1.1                   255.255.255.0           N/A

 

Total IPv6 on-demand networks: 1

  IPv6 address              Prefix length           VPN-instance

  11::5                     64                      N/A

Table 2 Command output

Field	Description
Total IPv4 on-demand networks	Total number of IPv4 on-demand mapping subnets.
Total IPv6 on-demand networks	Total number of IPv6 on-demand mapping subnets.
VPN-instance	VPN instance name. This field displays N/A if the entry does not belong to any VPN.

 

Related commands

ipsgt on-demand

display ipsgt state

Use display ipsgt state to display the operating status of IP-SGT mapping.

Syntax

display ipsgt state

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display the operating status of IP-SGT mapping.

<Sysname> display ipsgt state

 Global IP-SGT parameters:

   IP-SGT: Enabled

   Connection status with:

       EIA server: Connected

       IPv4 routing management: Connected

       IPv6 routing management: Connected

   IP-SGT URL:

       https://1.1.1.1/ipsgtmgr/vim    active

       https://2.1.1.1/ipsgtmgr/vim    inactive

Table 3 Command output

Field	Description
IP-SGT	Enabling status: ·     Enabled. ·     Disabled.
Connection status with	Connection status.
EIA server	Connection status with the EIA cloud server: ·     Connected. ·     Disconnected.
IPv4 routing management	Connection status with the IPv4 routing management module: ·     Connected. ·     Disconnected.
IPv6 routing management	Connection status with the IPv6 routing management module: ·     Connected. ·     Disconnected.
IP-SGT URL	URL deployed by the EIA server for establishing an IP-SGT tunnel. Tunnel states include: ·     active. ·     inactive. The two tunnels displayed in the information indicate the establishment of active and standby IP-SGT tunnels. The active and standby tunnels are not established simultaneously. The standby tunnel is used when the active tunnel fails and returns to backup state when the active tunnel becomes normal.

 

Related commands

ipsgt enable

display ipsgt statistics

Use display ipsgt statistics to display IP-SGT mapping packet statistics.

Syntax

display ipsgt statistics

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display IP-SGT mapping packet statistics.

<Sysname> display ipsgt statistics

Messages received :

  Add mapping:                          1

  Delete mapping:                       1

  Batch backup start:                   0

  Batch backup end:                     0

  Invalid:                               0

Messages sent :

  Add mapping:                          1

  Delete mapping:                       1

  Update mapping:                       0

  Add critical                          0

  Delete critical:                      0

  Update critical:                      0

  Add On-demand network:                1

  Delete on-demand Network:             1

  Batch backup start:                   1

  Batch backup mapping:                 1

  Batch backup critical:                0

  Batch backup end:                     1

Table 4 Command output

Field	Description
Messages received	Numbers of packets received from the EIA server. Available packet types include: ·     Add mapping—Add IP-SGT entry. ·     Delete mapping—Delete IP-SGT entry. ·     Batch backup start—Start backing up IP-SGT entries in batch. ·     Batch backup end—End backing up IP-SGT entries in batch. ·     Invalid—Discover invalid entries.
Messages sent	Numbers of packets sent to the routing management module. Available packet types include: ·     Add mapping—Add IP-SGT entries. ·     Delete mapping—Delete IP-SGT entries. ·     Update mapping—Update IP-SGT entries. ·     Add critical—Add IP-SGT critical user entries. ·     Delete critical—Delete IP-SGT critical user entries. ·     Update critical—Update IP-SGT critical user entries. ·     Add On-demand network—Add on-demand mapping subnets. ·     Delete on-demand network—Delete on-demand mapping subnets. ·     Batch backup start—Start backing up IP-SGT entries in batch. ·     Batch backup mapping—Back up IP-SGT entries in batch. ·     Batch backup critical—Back up IP-SGT critical user entries in batch. ·     Batch backup end—Finish backing up IP-SGT entries in batch.

 

Related commands

reset ipsgt statistics

ipsgt enable

Use ipsgt enable to enable IP-SGT mapping.

Use undo ipsgt enable to disable IP-SGT mapping.

Syntax

ipsgt enable

undo ipsgt enable

Default

IP-SGT mapping is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

By default, only the authenticator can receive access policies deployed by the server and control user access based on the policies.

This feature enables a device to act as an executor to receive the IP address-microsegment ID mapping entries sent by the EIA server. During traffic packet forwarding, the executor identifies the source or destination IP address of the packet, obtains the microsegment ID, and then processes the packet based on the group policy specified by the microsegment ID. For more information about the microsegmentation and group policies, see Security Configuration Guide.

Examples

# Enable the IP-SGT mapping.

<Sysname> system-view

[Sysname] ipsgt enable

Related commands

display ipsgt

ipsgt on-demand

Use ipsgt on-demand to specify a subnet for on-demand IP-SGT mapping.

Use undo ipsgt on-demand to delete a subnet for on-demand IP-SGT mapping.

Syntax

ipsgt on-demand { ip ipv4-address { mask-length | mask } | ipv6 ipv6-address prefix-length } [ vpn-instance vpn-instance-name ]

undo ipsgt on-demand [ ip [ ipv4-address { mask-length | mask } ] | ipv6 [ ipv6-address prefix-length ] ] [ vpn-instance vpn-instance-name ]

Default

No subnet is specified for on-demand IP-SGT mapping.

Views

System view

Predefined user roles

network-admin

Parameters

ip [ ipv4-address { mask-length | mask }: Specifies an IPv4 subnet. The ipv4-address argument represents the IPv4 address, the mask-length argument represents the mask length in the range of 0 to 31, and the mask argument represents the mask in dotted decimal notation. The mask cannot be 255.255.255.255.

ip [ ipv6-address prefix-length ]: Specifies an IPv6 subnet. The ipv6-address argument represents the IPv6 address and the prefix-length argument represents the prefix length in the range of 0 to 127.

vpn-instance vpn-instance-name: Specifies the VPN instance by its name, a case-sensitive string in the range of 1 to 31 characters. If you do not specify this option, this command displays on-demand subnets in the public network.

Usage guidelines

By default, the device stores all the IP-SGT mapping entries deployed by the EIA server as hardware entries. This enables the device to fast obtain the microsegment ID and group policy for packet processing and improves the forwarding efficiency. However, if the device is on a link that has few packet exchanges, storing all mapping entries wastes hardware resources.

After enabling IP-SGT mapping, you can execute this command to specify subnets for on-demand IP-SGT mapping on the executor. The hardware stores the on-demand mapping entries only when the user IP address belongs to the specified subnets. In this way, the device can fast obtain the microsegment ID and group policy for packet processing and avoid resources waste.

If you do not specify any keyword or parameter for the undo command, the command deletes all on-demand IPv4 and IPv6 subnets.

Examples

# Specify subnet 20.20.20.1/24 for on-demand IP-SGT mapping.

<Sysname> system-view

[Sysname] ipsgt on-demand ip 20.20.20.1 24

Related commands

display ipsgt on-demand

ipsgt enable

reset ipsgt statistics

Use reset ipsgt statistics to clear IP-SGT mapping packet statistics.

Syntax

reset ipsgt statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear IP-SGT mapping packet statistics.

<Sysname> reset ipsgt statistics

Related commands

display ipsgt statistics

snmp-agent trap enable ipsgt

Use snmp-agent trap enable ipsgt to enable SNMP notifications for IP-SGT mapping.

Use undo snmp-agent trap enable ipsgt to restore the default.

Syntax

snmp-agent trap enable ipsgt

undo snmp-agent trap enable ipsgt

Default

SNMP notifications are disabled for IP-SGT mapping.

Views

System view

Predefined user roles

network-admin

Guidelines

To report critical IP-SGT events (such as connection or disconnection between the executor and the EIA server) to an NMS, enable SNMP notifications for IP-SGT mapping. For IP-SGT event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

Examples

# Enable SNMP notifications for IP-SGT mapping.

<Sysname> system-view

[Sysname] snmp-agent trap enable ipsgt