No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview of Microsegmentation

Overview of Microsegmentation


Microsegmentation, also called EPG-based secure isolation, groups servers on a data center network based on rules. It applies traffic control policies based on End Point Groups (EPGs) to simplify O&M and implement secure management and control.


Enterprises face increasing security risks as stored data, applications, and internal traffic increase on data center networks. Using traditional network methods such as subnet assignment and ACLs to isolate services brings the following issues:
  • Virtual Local Area Network (VLAN) IDs or VXLAN network identifiers (VNIs) can be used to divide subnets for service isolation (for example, isolating services in subnets A and B), but services on servers in the same subnet cannot be isolated. When different subnets share a gateway, servers in these subnets cannot be isolated because the gateway has a route to each subnet.
  • ACLs can be configured to isolate servers. However, data center networks contain many servers, and many ACL rules need to be deployed to isolate servers. This complicates configuration and maintenance. In addition, ACL resources of network devices are limited and cannot meet customer requirements.

Microsegmentation addresses the preceding issues. On a VXLAN network, microsegmentation provides grouping rules with finer granularity than subnets. For example, microsegmentation supports IP address-based or IP address segment-based grouping. In addition, microsegmentation is easy to deploy. You only need to add servers on the VXLAN network to EPGs and deploy traffic control policies based on EPGs.


Microsegmentation implements service isolation on servers of a VXLAN network and ensures secure management and control for the VXLAN network. The configuration and maintenance are simple, reducing configuration and maintenance costs.

Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 27798

Downloads: 96

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next