Login
- Table of Contents
-
- 03-Security Configuration Guide
- 00-Preface
- 01-Security zone configuration
- 02-Security policy configuration
- 03-ASPF configuration
- 04-Session management
- 05-IP source guard configuration
- 06-802.1X configuration
- 07-User identification configuration
- 08-Password control configuration
- 09-MAC authentication configuration
- 10-IPoE configuration
- 11-Public key management
- 12-SSH configuration
- 13-Connection limit configuration
- 14-Attack detection and prevention configuration
- 15-Server connection detection configuration
- 16-ARP attack protection configuration
- 17-ND attack defense configuration
- 18-uRPF configuration
- 19-IP-MAC binding configuration
- 20-APR configuration
- 21-Keychain configuration
- 22-MAC learning through a Layer 3 device configuration
- 23-SMS configuration
- 24-Portal configuration
- 25-AAA configuration
- 26-PKI configuration
- 27-SSL configuration
- 28-Crypto engine configuration
- 29-Object group configuration
- 30-Microsegmentation configuration
- 31-IP-SGT mapping configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 31-IP-SGT mapping configuration | 108.18 KB |
IP-SGT mapping operating mechanism
Restrictions and guidelines: IP-SGT mapping configuration
IP-SGT mapping tasks at a glance
Prerequisites for IP-SGT mapping configuration
Configuring IP-SGT mapping
About IP-SGT mapping
Overview
In a traditional network, only the authenticator can receive access policies deployed by the EIA server and control user access based on the policies. Traditional networks manage user permissions based on geographical location attributes, such as VLAN or IP subnet. If the IP address of a user changes, the user might not obtain the same network access permissions as before.
IP address-Security Group Tag (IP-SGT) mapping binds user roles to security groups and decouples users and IP addresses for users to come online from different isolation domains with the same permissions. The feature realizes role-based policy assignment and enables user policy enforcement.
Network structure
As shown in Figure 1, an IP-SGT mapping network includes the following devices:
· Unified Platform—Digital management platform installed on a physical server. You can deploy components such as controller and EIA server on Unified Platform to perform client authentication and policy deployment.
¡ Controller—Incorporates devices, creates security groups, and configures inter-group policies.
¡ EIA server—Performs user authentication, licensing, and network accounting, and sends IP-SGT mappings to subscribed devices (incorporated devices).
· DHCP server—Assigns IP addresses to users, and can be configured as one of Unified Platform components.
· Authenticator—Authenticates access clients.
· Executor—Subscribed device by the EIA server. An executor receives IP-SGT policies deployed by the EIA server and controls user access based on the policies. You can use the same device for authentication and execution.
· Endpoint—User device requesting to access the LAN. Endpoints are authenticated by the authenticator.
Figure 1 IP-SGT mapping architecture
Security group
Security group provides local group-based security isolation. You can add communication objects (such as personal endpoints, printers, or servers) in an area that have the same security isolation requirements to a security group and configure inter-group policies. This ensures that users in the same group can obtain the same access permissions regardless of their locations.
IP-SGT mapping provides security group-based policy enforcement cross isolation domains. Compared with traditional access control that uses VLAN and ACL, IP-SGT mapping significantly reduces inter-group configurations as well as administrator workload because IP address-based policy configuration is no longer required.
|
|
NOTE: · A security group can be identified as a microsegment whose microsegment ID is the label ID configured at security group creation. For more information about microsegmentation, see "Configuring microsegmentation." · Microsegmentation enables the system to bind users to security groups (microsegments) and decouple users from IP addresses. When a user comes online from different isolation domains by using the same account, the EIA server assigns the same microsegment ID to the user. |
IP-SGT mapping operating mechanism
Unless otherwise specified, authenticators mentioned in this document only authenticate users, and IP-SGT mapping is enabled on the executors.
As shown in Figure 2, IP-SGT mapping works as follows:
1. The administrator creates security groups and Group Based Policies (GBP) on the controller, and then synchronizes security group and GBP information to the EIA server. For more information about GBP, see "Configuring Segmentation."
2. The controller deploys the configured GBP settings to the authenticator and executor.
3. The EIA server establishes an IP-SGT tunnel with the executor.
4. The client initiates an authentication process.
5. After a successful authentication, the EIA server adds the client into a security group based on the login information. The client now is assigned with a microsegment ID.
6. After the client obtains an IP address from the DHCP server (portal users obtain IP addresses before authentication),
7. The authenticator reports the client IP address to the EIA server through accounting packets.
|
|
CAUTION: · For portal users, the IP addresses have been obtained from the DHCP server before authentication and therefore the authenticator reports the client IP addresses to the EIA server during authentication. · For 802.1X, MAC, and Web authentication users, after they have obtained the IP addresses, the authenticator reports the client IP addresses to the EIA server through accounting packets. |
8. The EIA server then records the mapping relationship between the client IP address and microsegment ID.
9. The EIA server deploys the mapping entries to the executor through the IP-SGT tunnel. The executor then reports the entries to route management module for FIB deployment. According the FIB, drivers store the IP-SGT mapping entries in hardware resources. Once the client goes offline, the EIA server informs the executor to delete the corresponding IP-SGT entry.
10. After receiving service traffic from the client, the executor operates as follows:
a. Identifies the source or destination IP address of the packet.
b. Obtains the microsegment ID from the FIB.
c. Processes the traffic based on the corresponding group policy specified by the microsegment ID.
Figure 2 IP-SGT mapping workflow
Restrictions and guidelines: IP-SGT mapping configuration
To use IP-SGT, make sure an H3C IMC EIA server and an H3C SeerEngine-Campus controller are used, and the DHCP server must be a vDHCP server or a Microsoft DHCP server that supports tight coupling.
IP-SGT mapping tasks at a glance
To configure IP-SGT mapping, perform the following tasks:
· Enabling SNMP notifications for IP-SGT mapping
Prerequisites for IP-SGT mapping configuration
· Establish a cloud connection between the executor and Unified Platform. For more information, see cloud connection in Network Management and Monitoring Configuration Guide.
· Configure user authentication settings on the authenticator and the EIA server. IP-SGT mapping supports 802.1X, MAC address, Web, and portal authentications. For more information about configuring authentication, see the corresponding section in this document.
|
|
NOTE: · The administrator can directly deploy basic network configuration, 802.1X authentication, and IP-SGT mapping settings to devices through controller automated deployment or manually configure those features on devices. · For more information about the controller and the EIA server, see AD-Campus Configuration Guide. |
Enabling IP-SGT mapping
About this task
With IP-SGT mapping enabled, the executor identifies the source or destination IP address of a received packet, and searches the IP-SGT mapping entries in FIB deployed by the EIA server to obtain the microsegment ID. If a match is found, the executor processes the packet based on the action defined in the group policy.
Procedure
1. Enter system view.
system-view
2. Enable IP-SGT mapping.
ipsgt enable
By default, IP-SGT mapping is disabled.
Enabling SNMP notifications for IP-SGT mapping
About this task
To report critical IP-SGT events (such as connection or disconnection between the executor and the EIA server) to an NMS, enable SNMP notifications for IP-SGT mapping. For IP-SGT event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for IP-SGT mapping.
snmp-agent trap enable ipsgt
By default, SNMP notifications are disabled for IP-SGT mapping.
Display and maintenance commands for IP-SGT mapping
Execute the display commands in any view, and execute the reset command in user view.
|
Task |
Command |
|
Display the operating status of IP-SGT mapping. |
display ipsgt state |
|
Display IP-SGT mapping statistics. |
display ipsgt statistics |
|
Display the IP-SGT mapping entries on the device. |
display ipsgt map [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] | microsegment microsegment-id ] [ vpn-instance vpn-instance-name ] |
|
Clear IP-SGT mapping statistics. |
reset ipsgt statistics |