Login
- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-Security zone commands
- 02-AAA commands
- 03-802.1X commands
- 04-MAC authentication commands
- 05-Portal commands
- 06-Port security commands
- 07-User profile commands
- 08-Password control commands
- 09-Keychain commands
- 10-Public key management commands
- 11-PKI commands
- 12-IPsec commands
- 13-Group domain VPN commands
- 14-SSH commands
- 15-SSL commands
- 16-SSL VPN commands
- 17-ASPF commands
- 18-APR commands
- 19-Session management commands
- 20-Connection limit commands
- 21-Object group commands
- 22-Object policy commands
- 23-Attack detection and prevention commands
- 24-IP source guard commands
- 25-ARP attack protection commands
- 26-ND attack defense commands
- 27-uRPF commands
- 28-Crypto engine commands
- 29-FIPS commands
- 30-mGRE commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 01-Security zone commands | 52.49 KB |
Security zone commands
The following compatibility matrix shows the support of hardware platforms for security zone feature:
|
Hardware |
Security zone compatibility |
|
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LMS-EA |
Yes |
|
MSR810-LMS, MSR810-LUS |
No |
|
MSR2600-6-X1, MSR2600-10-X1 |
Yes |
|
MSR 2630 |
Yes |
|
MSR3600-28, MSR3600-51 |
Yes |
|
MSR3600-28-SI, MSR3600-51-SI |
Yes |
|
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP |
Yes |
|
MSR3610-I-DP, MSR3610-IE-DP |
Yes |
|
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC |
Yes |
|
MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660 |
Yes |
|
MSR3610-G, MSR3620-G |
Yes |
display security-zone
Use display security-zone to display security zone information.
Syntax
display security-zone [ name zone-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays all security zones, including system-defined and user-defined security zones.
Usage guidelines
When displaying all security zones, the command uses the following order:
1. System-defined security zones.
2. User-defined security zones in alphabetical order of security zone names.
Examples
# Display information about security zone myZone.
<Sysname> display security-zone name myZone
Name: myZone
Members:
Service path 2 reversed
GigabitEthernet1/0/1
GigabitEthernet1/0/2 in VLAN 3
VLAN 150-200
192.168.1.0 255.255.255.0
192.168.0.0 255.255.0.0 vpn-instance abc
1001:1002::0 32
Table 1 Command output
|
Field |
Description |
|
Name |
Security zone name. |
|
Members |
Members in the security zone: · Type and number of a Layer 3 interface. · Type and number of a Layer 2 Ethernet interface, and IDs of the VLANs to which the interface belongs. · None. If a security zone does not have members, this field displays None. |
display zone-pair security
Use display zone-pair security to display all zone pairs.
Syntax
display zone-pair security
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display all zone pairs.
<Sysname> display zone-pair security
Source zone Destination zone
DMZ Local
Trust Local
import interface
Use import interface to add Layer 3 interfaces to a security zone, including Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and other types of Layer 3 logical interfaces.
Use undo import interface to remove Layer 3 interfaces from a security zone.
Syntax
import interface layer3-interface-type layer3-interface-number
undo import interface layer3-interface-type layer3-interface-number
Default
A security zone does not have Layer 3 interface members.
Views
Security zone view
Predefined user roles
network-admin
Parameters
interface layer3-interface-type layer3-interface-number: Specifies a Layer 3 interface by its type and number.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple Layer 3 interfaces to a security zone, execute this command multiple times.
A Layer 3 interface can belong to only one security zone. To move a Layer 3 interface from one security zone to another security zone, perform the following tasks:
· Use the undo import interface command to remove the interface from the current security zone.
· Use the import interface command to add the interface to the new security zone.
Examples
# Add Layer 3 Ethernet interface GigabitEthernet 1/0/1 to security zone Trust.
<Sysname> system-view
[Sysname] security-zone name trust
[Sysname-security-zone-Trust] import interface gigabitethernet 1/0/1
security-zone
Use security-zone to create a security zone and enter its view, or enter the view of an existing security zone.
Use undo security-zone to delete a security zone.
Syntax
security-zone name zone-name
undo security-zone name zone-name
Default
No security zones exist.
Views
System view
Predefined user roles
network-admin
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. It cannot be any. To include a backward slash (\) or quotation mark (") in the security zone name, you must use the escape character (\).
Usage guidelines
The device provides the following system-defined security zones: Local, Trust, DMZ, Management, and Untrust. The system creates these security zones automatically when one of following events occurs:
· The first command for creating a security zone is executed.
· The first command related to creating an interzone policy is executed.
System-defined security zones cannot be deleted.
You can use this command multiple times to create multiple security zones.
Deleting a security zone also deletes the following items:
· All zone pairs that use the security zone as the source or destination security zone.
· All interzone policy applications on the zone pairs.
Examples
# Create a security zone named zonetest and enter security zone view.
<Sysname> system-view
[Sysname] security-zone name zonetest
[Sysname-security-zone-zonetest]
Related commands
display security-zone
security-zone intra-zone default permit
Use security-zone intra-zone default permit to set the default action to permit for packets exchanged between interfaces in the same security zone.
Use undo security-zone intra-zone default permit to restore the default.
Syntax
security-zone intra-zone default permit
undo security-zone intra-zone default permit
Default
The default action is deny for packets exchanged between interfaces in the same security zone.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The system uses the default action for packets that are exchanged between interfaces in the same security zone in the following situations:
· A zone pair from the security zone to the security zone itself is not configured.
· A zone pair from the security zone to the security zone itself is configured, but no interzone policy is applied to the zone pair.
Examples
# Set the default action to permit for packets exchanged between interfaces in the same security zone.
<Sysname> system-view
[Sysname] security-zone intra-zone default permit
zone-pair security
Use zone-pair security to create a zone pair and enter its view, or enter the view of an existing zone pair.
Use undo zone-pair security to delete a zone pair.
Syntax
zone-pair security source { source-zone-name | any } destination { destination-zone-name | any }
undo zone-pair security source { source-zone-name | any } destination { destination-zone-name | any }
Default
No zone pair exists.
Views
System view
Predefined user roles
network-admin
Parameters
source source-zone-name: Specifies the name of the source security zone, a case-insensitive string of 1 to 31 characters. This security zone must already exist.
destination destination-zone-name: Specifies the name of the destination security zone, a case-insensitive string of 1 to 31 characters. This security zone must already exist.
any: Specifies any security zone.
Usage guidelines
A zone pair has a source security zone and a destination security zone. The device examines received first data packets and uses zone pairs to identify data flows. You can apply interzone policies to zone pairs so the device processes data flows based on interzone policies.
You can use the zone-pair security source any destination any command to define the any-to-any zone pair. This zone pair matches all packets from one security zone to another security zone.
A zone pair between specific security zones has a higher priority than the any-to-any zone pair.
A packet between the Management and Local zones matches only zone pairs of the two zones. It does not match the any-to-any zone pair.
Deleting a zone pair deletes all interzone policy applications on the zone pair.
Examples
# Create a zone pair with the source security zone Trust and destination zone Untrust.
<Sysname> system-view
[Sysname] zone-pair security source trust destination untrust
[Sysname-zone-pair-security-Trust-Untrust]
Related commands
display zone-pair security
zone-pair vsip-filter enable
Use zone-pair vsip-filter enable to enable filtering based on virtual service IP address for zone pairs.
Use undo zone-pair vsip-filter enable to restore the default.
Syntax
zone-pair vsip-filter enable
undo zone-pair vsip-filter enable
Default
Filtering based on virtual service IP address is disabled for zone pairs.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In scenarios where server load balancing is deployed, configure this command to enable the device to filter packets from external networks to internal servers by virtual service IP address. By default, filtering based on virtual service IP address is disabled. Before matching each of the packets against ACLs, the device translates the destination IP address (the virtual service IP address) to the real server IP address. For more information about packet filtering, see ACL configuration in ACL and QoS Configuration Guide.
Examples
# Configure an IPv4 advanced ACL to permit packets destined for virtual server IP address 10.10.10.10. Configure a zone pair from Untrust to DMZ, apply the ACL to the zone pair, and enable filtering based on virtual service IP address.
<Sysname> system-view
[Sysname] acl advanced 3000
[Sysname-acl-ipv4-adv-3000] rule permit ip source any destination 10.10.10.10 0
[Sysname-acl-ipv4-adv-3000] quit
[Sysname] zone-pair security source untrust destination dmz
[Sysname-zone-pair-security-Untrust-DMZ] packet-filter 3000
[Sysname-zone-pair-security-Untrust-DMZ] quit
[Sysname] zone-pair vsip-filter enable
