No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring IP Address-based Microsegmentation (CE5880EI and CE6880EI)

Example for Configuring IP Address-based Microsegmentation (CE5880EI and CE6880EI)

Networking Requirements

On a distributed VXLAN gateway network (BGP EVPN) shown in Figure 5-5, the physical server, database server, and VM1 and VM2 are deployed in the data center. The requirements on the communication between them are as follows:
  • The physical server, VM1, and VM2 can access the database server.
  • The physical server and VM1/VM2 cannot access each other.
  • VM1 and VM2 can access each other.
Figure 5-5 Network diagram for configuring IP address-based microsegmentation
Table 5-2 Interface IP addresses

Device

Interface

IP Address

SwitchA

10GE1/0/1

192.168.2.1/24

LoopBack0

2.2.2.2/32

SwitchB

10GE1/0/1

192.168.3.1/24

LoopBack0

1.1.1.1/32

SwitchC

10GE1/0/1

192.168.2.2/24

10GE1/0/2

192.168.3.2/24

LoopBack0

3.3.3.3/32

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable microsegmentation.
  2. Configure a default microsegmentation policy.
  3. Configure EPGs and specify GBPs.

Procedure

  1. Configure the VXLAN. For details, see configuration files.
  2. Enable microsegmentation.

    # Configure SwitchA. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] traffic-segment enable
    [*SwitchA] commit

  3. Configure a default microsegmentation policy.

    # Configure SwitchA. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.

    [~SwitchA] traffic-segment unknown-segment permit    //Configure the default access control policy for unknown EPG members. By default, the permit policy is used.
    [~SwitchA] traffic-segment default-policy deny       //Configure the default access control policy for EPG members. By default, the deny policy is used.
    [~SwitchA] traffic-segment same-segment permit       //Configure the default access control policy for members in an EPG. By default, the none policy is used.
    [*SwitchA] commit

  4. Configure EPGs and specify GBPs.

    # On SwitchA, add VM1 and VM2 to EPG1, physical server to EPG2, and database server to EPG3. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.

    [~SwitchA] traffic-segment segment-id 32768 segment-name EPG1
    [*SwitchA-traffic-segment-32768] segment-member ip 192.168.10.1 32 vpn-instance vpn1
    [*SwitchA-traffic-segment-32768] segment-member ip 192.168.20.1 32 vpn-instance vpn1
    [*SwitchA-traffic-segment-32768] quit
    [*SwitchA] traffic-segment segment-id 32769 segment-name EPG2
    [*SwitchA-traffic-segment-32769] segment-member ip 192.168.30.1 32 vpn-instance vpn1
    [*SwitchA-traffic-segment-32769] quit
    [*SwitchA] traffic-segment segment-id 32770 segment-name EPG3
    [*SwitchA-traffic-segment-32770] segment-member ip 192.168.40.1 32 vpn-instance vpn1
    [*SwitchA-traffic-segment-32770] quit
    [*SwitchA] commit

    # On SwitchA, specify GBPs. The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.

    [~SwitchA] segment classifier EPG1-EPG3    //Configure the matching rules for traffic between EPG1 and EPG3.
    [*SwitchA-segmentclassifier-EPG1-EPG3] rule permit source-segment 32768 destination-segment 32770
    [*SwitchA-segmentclassifier-EPG1-EPG3] rule permit source-segment 32770 destination-segment 32768
    [*SwitchA-segmentclassifier-EPG1-EPG3] quit
    [*SwitchA] commit
    [~SwitchA] segment classifier EPG2-EPG3    //Configure the matching rules for traffic between EPG2 and EPG3.
    [*SwitchA-segmentclassifier-EPG2-EPG3] rule permit source-segment 32769 destination-segment 32770
    [*SwitchA-segmentclassifier-EPG2-EPG3] rule permit source-segment 32770 destination-segment 32769
    [*SwitchA-segmentclassifier-EPG2-EPG3] quit
    [*SwitchA] commit
    [~SwitchA] segment behavior EPG1-EPG3    //Configure the behaviors for traffic between EPG1 and EPG3.
    [*SwitchA-segmentbehavior-EPG1-EPG3] quit
    [*SwitchA] commit
    [~SwitchA] segment behavior EPG2-EPG3    //Configure the behaviors for traffic between EPG2 and EPG3.
    [*SwitchA-segmentbehavior-EPG2-EPG3] quit
    [*SwitchA] commit
    [~SwitchA] segment policy GBP    //Configure and apply a policy for traffic between EPGs.
    [*SwitchA-segmentpolicy-GBP] classifier EPG1-EPG3 behavior EPG1-EPG3
    [*SwitchA-segmentpolicy-GBP] classifier EPG2-EPG3 behavior EPG2-EPG3
    [*SwitchA-segmentpolicy-GBP] quit
    [*SwitchA] commit

  5. Verify the configuration.

    # Run the display traffic-segment configured-information command on SwitchA to check the EPG configuration.

    [~SwitchA] display traffic-segment configured-information
    ------------------------------------------------------------------------------                                                      
     Segment-Id          Segment-Name          Segment-Type          MemberNum                                                          
    ------------------------------------------------------------------------------                                                      
          32768          EPG1                  IPv4                          2                                                          
          32769          EPG2                  IPv4                          1                                                          
          32770          EPG3                  IPv4                          1                                                          
    ------------------------------------------------------------------------------                                                      
     Total:3 Segment,4 Member.                                                                                                          
    ------------------------------------------------------------------------------                                                      
    After the configuration, the following functions can be implemented:
    • The physical server, VM1, and VM2 can access the database server.
    • The physical server and VM1/VM2 cannot access each other.
    • VM1 and VM2 can access each other.

Configuration Files

  • SwitchA configuration file

    #
    sysname SwitchA
    #
    evpn-overlay enable
    #
    traffic-segment same-segment permit
    #
    traffic-segment segment-id 32768 segment-name EPG1                                                                                  
     segment-member ip 192.168.10.1 255.255.255.255 vpn-instance vpn1                                                                   
     segment-member ip 192.168.20.1 255.255.255.255 vpn-instance vpn1                                                                   
    #                                                                                                                                   
    traffic-segment segment-id 32769 segment-name EPG2                                                                                  
     segment-member ip 192.168.30.1 255.255.255.255 vpn-instance vpn1                                                                   
    #                                                                                                                                   
    traffic-segment segment-id 32770 segment-name EPG3                                                                                  
     segment-member ip 192.168.40.1 255.255.255.255 vpn-instance vpn1
    #
    segment classifier EPG1-EPG3                                                                                                        
     rule permit source-segment 32768 destination-segment 32770                                                                         
     rule permit source-segment 32770 destination-segment 32768                                                                         
    #                                                                                                                                   
    segment classifier EPG2-EPG3                                                                                                        
     rule permit source-segment 32769 destination-segment 32770                                                                         
     rule permit source-segment 32770 destination-segment 32769                                                                         
    #                                                                                                                                   
    segment behavior EPG1-EPG3                                                                                                          
    #                                                                                                                                   
    segment behavior EPG2-EPG3                                                                                                          
    #                                                                                                                                   
    segment policy GBP                                                                                                                  
     classifier EPG1-EPG3 behavior EPG1-EPG3 precedence 3                                                                               
     classifier EPG2-EPG3 behavior EPG2-EPG3 precedence 6                                                                               
    #
    traffic-segment enable
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 11:11
      vpn-target 1:1 export-extcommunity
      vpn-target 11:1 export-extcommunity evpn
      vpn-target 1:1 import-extcommunity
      vpn-target 11:1 import-extcommunity evpn
     vxlan vni 5010
    #
    bridge-domain 10
     vxlan vni 10
     evpn 
      route-distinguisher 10:1
      vpn-target 10:1 export-extcommunity
      vpn-target 11:1 export-extcommunity
      vpn-target 10:1 import-extcommunity
    #
    bridge-domain 20
     vxlan vni 20
     evpn 
      route-distinguisher 20:1
      vpn-target 20:1 export-extcommunity
      vpn-target 11:1 export-extcommunity
      vpn-target 20:1 import-extcommunity
    #
    interface Vbdif10
     ip binding vpn-instance vpn1
     ip address 192.168.10.2 255.255.255.0
     vxlan anycast-gateway enable
     arp collect host enable
    #
    interface Vbdif20
     ip binding vpn-instance vpn1
     ip address 192.168.20.2 255.255.255.0
     vxlan anycast-gateway enable
     arp collect host enable
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 192.168.2.1 255.255.255.0
    #
    interface 10GE1/0/2.1 mode l2
     encapsulation dot1q vid 10
     bridge-domain 10
    #
    interface 10GE1/0/3.1 mode l2
     encapsulation dot1q vid 20
     bridge-domain 20
    #
    interface LoopBack0
     ip address 2.2.2.2 255.255.255.255
    #
    interface Nve1
     source 2.2.2.2
     vni 10 head-end peer-list protocol bgp
     vni 20 head-end peer-list protocol bgp
    #
    bgp 200
     peer 192.168.2.2 as-number 100
     #
     ipv4-family unicast
      network 2.2.2.2 255.255.255.255
      peer 192.168.2.2 enable
    #
    bgp 100 instance evpn1
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack0
     #
     l2vpn-family evpn
      policy vpn-target
      peer 3.3.3.3 enable
      peer 3.3.3.3 advertise irb
    #
    return
  • SwitchB configuration file

    #
    sysname SwitchB
    #
    evpn-overlay enable
    #
    traffic-segment same-segment permit
    #
    traffic-segment segment-id 32768 segment-name EPG1                                                                                  
     segment-member ip 192.168.10.1 255.255.255.255 vpn-instance vpn1                                                                   
     segment-member ip 192.168.20.1 255.255.255.255 vpn-instance vpn1                                                                   
    #                                                                                                                                   
    traffic-segment segment-id 32769 segment-name EPG2                                                                                  
     segment-member ip 192.168.30.1 255.255.255.255 vpn-instance vpn1                                                                   
    #                                                                                                                                   
    traffic-segment segment-id 32770 segment-name EPG3                                                                                  
     segment-member ip 192.168.40.1 255.255.255.255 vpn-instance vpn1
    #
    segment classifier EPG1-EPG3                                                                                                        
     rule permit source-segment 32768 destination-segment 32770                                                                         
     rule permit source-segment 32770 destination-segment 32768                                                                         
    #                                                                                                                                   
    segment classifier EPG2-EPG3                                                                                                        
     rule permit source-segment 32769 destination-segment 32770                                                                         
     rule permit source-segment 32770 destination-segment 32769                                                                         
    #                                                                                                                                   
    segment behavior EPG1-EPG3                                                                                                          
    #                                                                                                                                   
    segment behavior EPG2-EPG3                                                                                                          
    #                                                                                                                                   
    segment policy GBP                                                                                                                  
     classifier EPG1-EPG3 behavior EPG1-EPG3 precedence 3                                                                               
     classifier EPG2-EPG3 behavior EPG2-EPG3 precedence 6                                                                               
    #
    traffic-segment enable
    #
    ip vpn-instance vpn1
     ipv4-family
      route-distinguisher 22:22
      vpn-target 2:2 export-extcommunity
      vpn-target 11:1 export-extcommunity evpn
      vpn-target 2:2 import-extcommunity
      vpn-target 11:1 import-extcommunity evpn
     vxlan vni 5010
    #
    bridge-domain 30
     vxlan vni 30
     evpn 
      route-distinguisher 30:1
      vpn-target 30:1 export-extcommunity
      vpn-target 11:1 export-extcommunity
      vpn-target 30:1 import-extcommunity
    #
    bridge-domain 40
     vxlan vni 40
     evpn 
      route-distinguisher 40:1
      vpn-target 40:1 export-extcommunity
      vpn-target 11:1 export-extcommunity
      vpn-target 40:1 import-extcommunity
    #
    interface Vbdif30
     ip binding vpn-instance vpn1
     ip address 192.168.30.2 255.255.255.0
     vxlan anycast-gateway enable
     arp collect host enable
    #
    interface Vbdif40
     ip binding vpn-instance vpn1
     ip address 192.168.40.2 255.255.255.0
     vxlan anycast-gateway enable
     arp collect host enable
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 192.168.3.1 255.255.255.0
    #
    interface 10GE1/0/2.1 mode l2
     encapsulation dot1q vid 30
     bridge-domain 30
    #
    interface 10GE1/0/3.1 mode l2
     encapsulation dot1q vid 40
     bridge-domain 40
    #
    interface LoopBack0
     ip address 1.1.1.1 255.255.255.255
    #
    interface Nve1
     source 1.1.1.1
     vni 30 head-end peer-list protocol bgp
     vni 40 head-end peer-list protocol bgp
    #
    bgp 300
     peer 192.168.3.2 as-number 100
     #
     ipv4-family unicast
      network 1.1.1.1 255.255.255.255
      peer 192.168.3.2 enable
    #
    bgp 100 instance evpn1
     peer 3.3.3.3 as-number 100
     peer 3.3.3.3 connect-interface LoopBack0
     #
     l2vpn-family evpn
      policy vpn-target
      peer 3.3.3.3 enable
      peer 3.3.3.3 advertise irb
    #
    return
  • SwitchC configuration file
    #
    sysname SwitchC
    #
    evpn-overlay enable
    #
    interface 10GE1/0/1
     undo portswitch
     ip address 192.168.2.2 255.255.255.0
    #
    interface 10GE1/0/2
     undo portswitch
     ip address 192.168.3.2 255.255.255.0
    #
    interface LoopBack0
     ip address 3.3.3.3 255.255.255.255
    #
    bgp 100
     peer 192.168.2.1 as-number 200
     peer 192.168.3.1 as-number 300
     #
     ipv4-family unicast
      network 3.3.3.3 255.255.255.255
      peer 192.168.2.1 enable
      peer 192.168.3.1 enable
    #
    bgp 100 instance evpn1
     peer 2.2.2.2 as-number 100
     peer 2.2.2.2 connect-interface LoopBack0
     peer 1.1.1.1 as-number 100
     peer 1.1.1.1 connect-interface LoopBack0
     #
     l2vpn-family evpn
      undo policy vpn-target
      peer 2.2.2.2 enable
      peer 2.2.2.2 advertise irb
      peer 2.2.2.2 reflect-client
      peer 1.1.1.1 enable
      peer 1.1.1.1 advertise irb
      peer 1.1.1.1 reflect-client
    #
    return
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18546

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next