No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Default Microsegmentation Policies

Configuring Default Microsegmentation Policies

Context

On a network, servers can be deployed in EPGs as needed. The servers that do not belong to any EPG are unknown EPG members and the servers that belong to EPGs are EPG members. Multiple servers can belong to the same EPG.

After EPGs are deployed, if no GBP is specified for the EPGs, the device uses the default policy to perform access control for servers. Based on EPG member roles of servers, the default microsegmentation policies include Configure an access control policy for unknown EPG members, Configure the default access control policy for EPG members, and Configure the default access control policy for members in an EPG.

Procedure

  • Configure an access control policy for unknown EPG members.
    1. Run system-view

      The system view is displayed.

    2. Run traffic-segment unknown-segment { permit | deny }

      An access control policy is configured for unknown EPG members.

      By default, the access control policy for unknown EPG members is permit; that is, unknown EPG members can communicate with each other.

    3. Run commit

      The configuration is committed.

  • Configure the default access control policy for EPG members.
    1. Run system-view

      The system view is displayed.

    2. Run traffic-segment default-policy { permit | deny }

      The default access control policy is configured for EPG members.

      By default, the access control policy for EPG members is deny.
      • On the CE5880EI and CE6880EI, EPG members cannot communicate with each other, regardless of whether they are in the same or different EPGs.
      • On the CE6857EI, CE6865EI, CE8861EI, and CE8868EI, members in an EPG cannot communicate with members in other EPGs.

    3. Run commit

      The configuration is committed.

  • Configure the default access control policy for members in an EPG.

    NOTE:

    For the CE6857EI, CE6865EI, CE8861EI, and CE8868EI, the default access control policy is always permit for members in an EPG.

    1. Run system-view

      The system view is displayed.

    2. Run traffic-segment same-segment { none | permit | deny }

      The default access control policy is configured for members in an EPG.

      By default, the access control policy for members in an EPG is none; that is, access control is not performed for members in an EPG. Instead, the device uses the default access control policy to perform access control for them.

      When the default access control policy for members in an EPG is not none, the configured default access control policy is used for the members.

    3. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18674

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next