No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Licensing Requirements and Limitations for Microsegmentation

Licensing Requirements and Limitations for Microsegmentation

Involved Network Elements

You can configure microsegmentation on the Agile Controller-DCN or in single-node mode. Different network elements (NEs) are required for the two configuration modes. During the configuration, select a proper controller version.

Configuration Mode

Product

Description

Agile Controller-DCN mode

Agile Controller

The controller configures EPGs and GBPs and delivers the configurations to the forwarder through the NETCONF interface.

Single-node mode

Other network elements are not required.

Licensing Requirements

Microsegmentation is a basic feature of a switch and is not under license control.

Version Requirements

Table 5-1 Products and minimum version supporting microsegmentation

Product

Minimum Version Required

CE5880EI

V200R005C10

CE6857EI

V200R005C10

CE6865EI

V200R005C10

CE6880EI

V200R003C00

CE8861EI

V200R005C10

CE8868EI

V200R005C10

Feature Limitations

Limitations of microsegmentation
  • Microsegmentation is available only on the distributed Layer 3 VXLAN gateway networking.
  • Microsegmentation is valid only for Layer 3 known IPv4 unicast traffic on a VXLAN overlay network.
  • Microsegmentation does not support EPG 0, which is invalid.
  • One member can join only one EPG.
  • When GBPs between EPGs define the Layer 4 port number, the default action for non-first fragments of TCP or UDP packets is permit. You need to adjust the MTU of each server and the forwarder to prevent packet fragmentation.
  • Microsegmentation cannot be configured with the MQC-based traffic policy that defines VXLAN reserved field re-marking.

Limitations on configuring GBPs using a non-MQC mode

  • GBPs include permit and traffic statistics collection, and can be only applied to the system in the inbound direction.
  • When you modify a segment policy or the segment classifier and segment behavior bound to a segment policy, the device traverses rules in sequence, delivers a new segment policy, and deletes the segment policy that needs to be modified. To prevent rule modification failures, ensure that the number of remaining ACL resources is greater than the highest one among the numbers of chip resources occupied by each rule in the segment policy.
  • If you enable the traffic statistics collection function for a segment behavior bound to a segment policy, the function takes effect after a slight delay following the configuration. The delay is proportional to the number of rules in the segment classifier corresponding to the segment behavior. In extreme conditions, the delay may reach minutes. You need to enable traffic statistics collection for a segment behavior before binding the segment classifier and segment behavior to a segment policy.

Limitations on configuring GBPs using MQC mode

  • GBPs include permit, deny, and traffic statistics collection, and can be only applied to the system in the inbound direction.
  • The system deletes old GBPs before adding new GBPs by default when GBPs are updated, so microsegmentation services are affected.

    To ensure that microsegmentation services are not affected when GBPs are updated, run the traffic-policy atomic-update-mode command in the system view to enable the device to keep nonstop traffic transmission during GBP modification. When this function is enabled and GBPs are updated, the system first delivers new GBPs, and then deletes old GBPs. Therefore, the number of remaining ACL resources must be twice the number of chip resources occupied by GBPs.

  • When an action defined in a GBP conflicts with an action in the MQC-based traffic policy, the action in the MQC-based traffic policy takes effect.
  • Microsegmentation, MQC-based traffic policy, and service ACL share resources. When all these functions are used simultaneously and resources are insufficient, you need to adjust services to ensure that services can be delivered.

Limitations on the CE6857EI, CE6865EI, CE8861EI, and CE8868EI

  • A stack does not support the microsegmentation feature.
  • Configuring GBPs using MQC mode is not supported.
  • The access control policies for unknown EPG members are valid only to unknown source EPGs but not unknown destination EPGs. The action for unknown destination EPGs is always permit.
  • The default access control policy is always permit for members in an EPG.
  • If members in EPG group A communicate with members in EPG group B on both the local and remote devices, traffic statistics for the communication between members in EPG group A and members in EPG group B on the local device include the traffic for communication with members in EPG group B on the remote device.
  • For members with different VPN instances (including the public network), IP addresses cannot overlap. For example, members with the IP addresses 1.1.1.1/32 on the public network and 1.1.1.1/24 in a VPN cannot co-exist on a device.

    For members with the same VPN instance (including the public network), IP addresses with a 32-bit mask cannot overlap with those that have a non-32-bit mask. For example, members with the IP addresses 1.1.1.1/32 and 1.1.1.1/24 on the public network cannot co-exist on a device.

  • The entire device supports only three non-32-bit subnet masks.
  • Microsegmentation cannot be configured with differentiated scheduling for elephant and mice flows in lossless queues on low-latency networks.
  • Microsegmentation can be configured only when the UFT flexible resource mode of ACL entries is epg.
  • Microsegmentation cannot be configured with a QoS group containing members of the IP address type.
  • Microsegmentation cannot be configured with an MQC policy for re-marking the local ID.
  • Microsegmentation, MAC, ARP, and FIB share resources. When all these functions are used simultaneously and resources are insufficient, you need to adjust services to ensure that services can be delivered.
  • For inter-VPN access, an IP address needs to be associated with two VPN instances as EPG members.

    For example, assume that Server 1 at 1.1.1.1/32 belongs to EPG 1 and VPN1 and Server 2 at 2.2.2.2/32 belongs to EPG 2 and VPN2. Members of EPG 1 include segment-member ip 1.1.1.1 32 vpn-instance VPN1 and segment-member ip 1.1.1.1 32 vpn-instance VPN2; members of EPG 2 include segment-member ip 2.2.2.2 32 vpn-instance VPN2 and segment-member ip 2.2.2.2 32 vpn-instance VPN1.

  • In an inter-VPN access scenario, microsegmentation does not support traffic diversion implemented only by specifying the VPN instance (no outbound interface or next hop address) or specifying the static route with the destination address being a public address (without specifying the next-hop address).
Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23377

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next