No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Microsegmentation

Understanding Microsegmentation

Basic Concepts

  • End Point Group (EPG)

    Servers are allocated to EPGs based on rules.

    After servers are allocated to EPGs, the servers that do not belong to any EPG are unknown EPG members and the servers that belong to EPGs are EPG members. Multiple servers can belong to the same EPG.

  • Group Based Policy (GBP)

    GBP defines traffic control for members in an EPG or in different EPGs.

    You can change the default GBP as needed and specify GBPs for EPGs. The default GBP is as follows:
    • The default access control policy for unknown EPG members is permit; that is, unknown EPG members can communicate with each other.
    • The default access control policy for EPG members is deny; that is, members cannot communicate with each other regardless of their EPG.
    • The default access control policy for members in an EPG is none; that is, access control is not performed for members in an EPG. Instead, the device uses the default access control policy to perform access control for them.

      When the default access control policy for members in an EPG is not none, the configured default access control policy is used for the members.

Microsegmentation Information in the VXLAN Packet Header

In Figure 5-1, the source VXLAN Tunnel Endpoint (VTEP) sends microsegmentation information to the destination VTEP using the G flag bit and Group Policy ID field in the VXLAN packet header.
Figure 5-1 Microsegmentation information in the VXLAN packet header
  • G flag bit: The default value is 0. When the value is 1, the Group Policy ID field in the VXLAN packet header carries the ID of an EPG that the source server belongs to.
  • Group Policy ID field: When the value of the G flag bit is 1, the Group Policy ID field in the VXLAN packet header carries the ID of an EPG that the source server belongs to.

Implementation

When microsegmentation is applied to a VXLAN network, the destination VTEP performs traffic control based on GBP. To control bidirectional traffic, deploy microsegmentation on both the source and destination VTEPs.

Local Forwarding of Layer 3 Packets on the VXLAN Network

On the distributed VXLAN network shown in Figure 5-2, Leaf1 is VTEP1 and connected to Host1 and Host2. Access traffic between Host1 and Host2 only needs to be forwarded on Leaf1. Host1 belongs to EPG1 and Host2 belongs to EPG2.
Figure 5-2 Local forwarding of Layer 3 packets on the VXLAN network
Host1's access to Host2 exemplifies microsegmentation when Layer 3 packets are locally forwarded on the VXLAN network.
  1. After VTEP1 receives packets sent from Host1 to Host2, it obtains the source IP address of 192.168.10.1 and destination IP address of 192.168.20.2 from the packets.
  2. According to the source IP address, VTEP1 searches for TCAM entries based on the longest match principle and obtains the ID of the EPG (EPG1) that Host1 belongs to.
  3. According to the destination IP address, VTEP1 searches for the routing table and finds that Host2 is also connected to VTEP1. That is, packets only need to be forwarded locally. According to the destination IP address, VTEP1 searches for TCAM entries based on the longest match principle and obtains the ID of the EPG (EPG2) that Host2 belongs to.
  4. VTEP1 searches for TCAM entries based on EPG1 and EPG2 that Host1 and Host2 belong to, respectively. It obtains GBPs between EPG1 and EPG2 and performs traffic control based on these.

Inter-device Forwarding of Layer 3 Packets on the VXLAN Network

On the distributed VXLAN network shown in Figure 5-3, Leaf1 and Leaf2 are VTEP1 and VTEP2 and are connected to Host1 and Host3, respectively. Access traffic between Host1 and Host3 needs to be forwarded over the VXLAN tunnel across devices. Host1 belongs to EPG1 and Host3 belongs to EPG3.
Figure 5-3 Inter-device forwarding of Layer 3 packets on the VXLAN network
Host1's access to Host3 exemplifies microsegmentation when Layer 3 packets are forwarded across devices on the VXLAN network.
  1. After VTEP1 receives packets sent from Host1 to Host3, it obtains the source IP address of 192.168.10.1 and destination IP address of 192.168.30.3 from the packets.
  2. According to the source IP address, VTEP1 searches for TCAM entries based on the longest match principle and obtains the ID of the EPG (EPG1) that Host1 belongs to.
  3. According to the destination IP address, VTEP1 searches for the routing table and finds that Host3 is connected to VTEP2. After packets are encapsulated with the VXLAN header, the packets are forwarded over the VXLAN tunnel across devices. During VXLAN encapsulation, VTEP1 resets the G flag bit in the VXLAN packet header, encapsulates EPG1 that Host1 belongs to into the Group Policy ID field of the VXLAN packet header, and sends the packets to VTEP2.
  4. After receiving VXLAN packets sent by VTEP1, VTEP2 decapsulates the VXLAN packets. VTEP finds that the G flag bit is 1 and obtains EPG1 of Host1 from the Group Policy ID field.
  5. According to the inner destination IP address, VTEP2 searches for TCAM entries based on the longest match principle and obtains the ID of the EPG (EPG3) that Host3 belongs to.
  6. VTEP2 searches for TCAM entries based on EPG1 and EPG3 that Host1 and Host3 belong to, respectively. It obtains GBPs between EPG1 and EPG3 and performs traffic control based on GBPs.
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18747

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next