No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring EPGs and Specifying GBPs

Configuring EPGs and Specifying GBPs

Context

On a network, servers can be added to EPGs as needed and GBPs are specified for the packets that match EPGs. Doing this controls traffic between servers.

Currently, GBPs can be specified using non-MQC mode or MQC mode. Non-MQC mode is recommended.

Procedure

  1. Configure an EPG.
    1. Run system-view

      The system view is displayed.

    2. Run traffic-segment segment-id segment-id [ segment-name segment-name ]

      An EPG is created and the EPG view is displayed.

      By default, no EPG exists.

    3. (Optional) Run description

      The description of an EPG is configured.

      By default, the description of an EPG is not configured.

    4. Run segment-member ip ip-address { mask | mask-length } [ vpn-instance vpn-instance-name ]

      A specified IP address is added to an EPG.

      By default, no IP address is contained in an EPG.

    5. (Optional) Run segment-statistics enable

      The statistics collection function is enabled for the EPG.

      By default, the statistics collection function is disabled for an EPG.

      NOTE:

      Only the CE6857EI, CE6865EI, CE8861EI, and CE8868EI support this command.

    6. Run quit

      Return to the system view.

    7. Run commit

      The configuration is committed.

  2. Specify a GBP using non-MQC mode (recommended).
    1. Run segment classifier classifier-name

      A segment classifier is created and the segment classifier view is displayed, or the existing segment classifier view is displayed.

      By default, no segment classifier is created in the system.

    2. Run rule permit { source-segment segment-id | destination-segment segment-id } * [ protocol { protocol-value1 | { protocol-value2 | tcp | udp } [ source-port { eq port | gt port | lt port | range port-start port-end } | destination-port { eq port | gt port | lt port | range port-start port-end } ] * } ]

      A rule is configured in the segment classifier view.

      By default, no ACL rule is configured in the segment classifier view.

    3. Run quit

      The system view is displayed.

    4. Run segment behavior behavior-name

      A segment behavior is created and the segment behavior view is displayed, or the existing segment behavior view is displayed.

      By default, no segment behavior is created in the system.

    5. (Optional) Run statistics enable

      The traffic statistics function is enabled in the segment behavior view.

      By default, the traffic statistics collection function is disabled in the segment behavior view.

    6. Run quit

      The system view is displayed.

    7. Run segment policy policy-name

      A segment policy is created and applied and the segment policy view is displayed, or the existing segment policy view is displayed.

      By default, no segment policy is created or applied in the system.

    8. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A segment behavior is bound to a segment classifier in a segment policy.

    9. Run quit

      The system view is displayed.

    10. Run commit

      The configuration is committed.

  3. Specify a GBP using MQC mode. (not recommended).
    NOTE:

    The CE6857EI, CE6865EI, CE8861EI, and CE8868EI do not support this mode.

    1. Run traffic classifier classifier-name [ type or ]

      A traffic classifier is created and the traffic classifier view is displayed.

      By default, no traffic classifier is created in the system.

    2. Run if-match { source-segment { segment-id | segment-name } | destination-segment { segment-id | segment-name } } * [ protocol { protocol-value1 | protocol-value2 [ source-port { port | range port-start port-end } | destination-port { port | range port-start port-end } ] * } ]

      A matching rule based on an EPG is created in the traffic classifier.

      By default, no matching rules based on EPGs are configured in a traffic classifier.

    3. Run quit

      Return to the system view.

    4. Run traffic behavior behavior-name

      A traffic behavior is created and the traffic behavior view is displayed, or the existing traffic behavior view is displayed.

    5. Run the following commands as required.
      • Run the permit command to forward packets matching the traffic classifier based on the original policy.
      • Run the deny command to deny packets matching the traffic classifier.
      • Run the statistics enable command to enable the traffic statistics function.
    6. Run quit

      Return to the system view.

    7. Run traffic policy policy-name

      A traffic policy is created and the traffic policy view is displayed, or the view of an existing traffic policy is displayed.

    8. Run classifier classifier-name behavior behavior-name [ precedence precedence-value ]

      A traffic behavior is bound to a traffic classifier in the traffic policy.

    9. Run quit

      Return to the system view.

    10. Run traffic-policy policy-name global [ slot slot-id ] inbound

      The traffic policy is applied to the system in the inbound direction.

    11. Run commit

      The configuration is committed.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18876

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next