Contents

Security zone commands· 1

display security-zone· 1

import interface· 2

import interface vlan· 3

import ip· 4

import ipv6· 5

import service-chain path· 6

import vlan· 6

security-zone· 7

security-zone intra-zone default permit 8

 

Security zone commands

display security-zone

Use display security-zone to display security zone information.

Syntax

display security-zone [ name zone-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays all security zones, including system-defined and user-defined security zones.

Usage guidelines

When displaying all security zones, the command uses the following order:

1.     System-defined security zones.

2.     User-defined security zones in alphabetical order of security zone names.

Examples

# Display information about security zone myZone.

<Sysname> display security-zone name myZone

Name: myZone

Members:

  Service path 2 reversed

  GigabitEthernet0/0/1

  GigabitEthernet0/0/2 in VLAN 3

  VLAN 150-200

  192.168.1.0 255.255.255.0

  192.168.0.0 255.255.0.0 vpn-instance abc

  1001:1002::0 32

Table 1 Command output

Field	Description
Name	Security zone name.
Members	Members in the security zone: ·     Type and number of a Layer 3 interface. ·     Type and number of a Layer 2 Ethernet interface, and IDs of the VLANs to which the interface belongs. ·     VLAN IDs. ·     Address and mask (or mask length) of an IPv4 subnet on the public network. ·     Address and prefix length of an IPv6 subnet on the public network. ·     Address, mask (or mask length), and VPN instance name of an IPv4 subnet on a VPN. ·     Address, prefix length, and VPN instance name of an IPv6 subnet on a VPN. ·     Service chain ID. ·     Service chain ID with the reversed flag. If a security zone does not have members, this field displays None.

 

import interface

Use import interface to add a Layer 3 interfaces to a security zone.

Use undo import interface to remove Layer 3 interfaces from a security zone.

Syntax

import interface layer3-interface-type layer3-interface-number

undo import interface layer3-interface-type layer3-interface-number

Default

A security zone does not have Layer 3 interface members.

Views

Security zone view

Predefined user roles

network-admin

Parameters

interface layer3-interface-type layer3-interface-number: Specifies a Layer 3 interface by its type and number. Layer 3 interfaces include Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and other types of Layer 3 logical interfaces.

Usage guidelines

You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.

To add multiple Layer 3 interfaces to a security zone, execute this command multiple times.

A Layer 3 interface can belong to only one security zone. To move a Layer 3 interface from one security zone to another security zone, perform the following tasks:

1.     Use the undo import interface command to remove the interface from the current security zone.

2.     Use the import interface command to add the interface to the new security zone.

Examples

# Add Layer 3 Ethernet interface GigabitEthernet 0/0/1 to security zone Trust.

<Sysname> system-view

[Sysname] security-zone name trust

[Sysname-security-zone-Trust] import interface gigabitethernet 0/0/1

import interface vlan

Use import interface vlan to add Layer 2 interface-VLAN combinations to a security zone.

Use undo import interface vlan to remove Layer 2 interface-VLAN combinations from a security zone .

Syntax

import interface layer2-interface-type layer2-interface-number vlan vlan-list

undo import interface layer2-interface-type layer2-interface-number vlan vlan-list

Default

A security zone does not have Layer 2 interface-VLAN combination members.

Views

Security zone view

Predefined user roles

network-admin

Parameters

interface layer2-interface-type layer2-interface-number: Specifies a Layer 2 interface by its type and number.

vlan vlan-list: Specifies a list of VLANs. The vlan-list argument must be a space-separated list of up to 10 VLAN items that meet the following requirements:

·     Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The end-VLAN-ID is greater than the start-VLAN-ID.

·     The VLAN IDs are in the range of 1 to 4094.

·     The VLANs already exist.

Usage guidelines

You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.

To add multiple Layer 2 Ethernet interface-VLAN combinations to a security zone, execute this command multiple times.

A Layer 2 interface-VLAN combination can belong to only one security zone. To move a Layer 2 interface-VLAN combination from one security zone to another security zone, perform the following tasks:

1.     Use the undo import interface vlan command to remove the combination from the current security zone.

2.     Use the import interface vlan command to add the combination to the new security zone.

Examples

# Add the combination of Layer 2 Ethernet interface GigabitEthernet 0/0/1 and VLAN 10 to security zone Untrust.

<Sysname> system-view

[Sysname] security-zone name untrust

[Sysname-security-zone-Untrust] import interface gigabitethernet 0/0/1 vlan 10

import ip

Use import ip to add an IPv4 subnet to a security zone.

Use undo import ip to remove an IPv4 subnet from a security zone.

Syntax

import ip ip-address { mask-length | mask } [ vpn-instance vpn-instance-name ]

undo import ip ip-address { mask-length | mask } [ vpn-instance vpn-instance-name ]

Default

A security zone does not have IPv4 subnet members.

Views

Security zone view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IPv4 subnet by its subnet address or a host address on the subnet.

mask-length: Specifies the mask length in the range of 0 to 32.

mask: Specifies the subnet mask in dotted decimal notation.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the subnet belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the subnet resides on the public network, do not specify this option.

Usage guidelines

You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.

To add multiple IPv4 subnets to a security zone, execute this command multiple times.

A subnet can be added to only one security zone.

If one subnet includes another subnet, the system identifies them as different subnets. You can add them to the same security zone or different security zones. If you add them to different security zones, packets that match both subnets are identified as packets of the security zone to which the smaller subnet belongs. For example, you can assign 1.1.1.1/24 and 1.1.2.2/16 to different security zones. A packet with the IP address 1.1.1.3 is identified as a packet of the security zone to which 1.1.1.1/24 belongs.

For a dynamic routing protocol to operate correctly, add the multicast and broadcast addresses used by the protocol to security zones as needed.

Examples

# Add the 192.168.1.0/24 subnet to security zone a.

<Sysname> system-view

[Sysname] security-zone name a

[Sysname-security-zone-a] import ip 192.168.1.0 24

# Add the subnet that is identified by the address 192.168.2.1 and mask 255.255.255.0 to security zone a.

<Sysname> system-view

[Sysname] security-zone name a

[Sysname-security-zone-a] import ip 192.168.2.1 255.255.255.0

# Add the subnet that is identified by the address 192.168.2.1 and mask 255.255.255.0 on VPN abc to the security zone a.

<Sysname> system-view

[Sysname] security-zone name a

[Sysname-security-zone-a] import ip 192.168.2.1 255.255.255.0 vpn-instance abc

import ipv6

Use import ipv6 to add an IPv6 subnet to a security zone.

Use undo import ipv6 to remove an IPv6 subnet from a security zone.

Syntax

import ipv6 ipv6-address prefix-length [ vpn-instance vpn-instance-name ]

undo import ipv6 ipv6-address prefix-length [ vpn-instance vpn-instance-name ]

Default

A security zone does not have IPv6 subnet members.

Views

Security zone view

Predefined user roles

network-admin

Parameters

ip-address: Specifies an IPv6 subnet by its subnet address or a host address on the subnet.

prefix-length: Specifies the prefix length in the range of 1 to 128.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN to which the subnet belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the subnet resides on the public network, do not specify this option.

Usage guidelines

You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.

To add multiple IPv6 subnets to a security zone, execute this command multiple times.

A subnet can be added to only one security zone.

If one subnet includes another subnet, the system identifies them as different subnets. You can add them to the same security zone or different security zones. If you add them to different security zones, packets that match both subnets are identified as packets of the security zone to which the smaller subnet belongs. For example, you can assign 1:1:1::0/48 and 1:1:1::0/32 to different security zones. A packet with the address 1:1:1::2 is identified as a packet of the security zone to which 1:1:1::0/48 belongs.

Examples

# Add IPv6 subnet 1001:1002::0/32 (on the public network) to security zone a.

<Sysname> system-view

[Sysname] security-zone name a

[Sysname-security-zone-a] import ipv6 1001:1002::1 32

# Add IPv6 subnet 1001:1002::0/32 (on VPN abc) to security zone a.

<Sysname> system-view

[Sysname] security-zone name a

[Sysname-security-zone-a] import ipv6 1001:1002::1 32 vpn-instance abc

import service-chain path

Use import service-chain path to add a service chain to a security zone.

Use undo import service-chain path to remove a service chain from a security zone.

Syntax

import service-chain path path-id [ reversed ]

undo Import service-chain path path-id [ reversed ]

Default

A security zone does not have service chain members.

Views

Security zone view

Predefined user roles

network-admin

Parameters

path-id: Specifies a service chain by its ID. The value range is 1 to 8388606.

reversed: Matches the backward traffic. If you do not specify this keyword, the service chain matches the forward traffic.

Usage guidelines

You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.

To add multiple service chains to a security zone, execute this command multiple times.

A service chain can be added to only one security zone.

For more information about service chains, see Service Chain Configuration Guide.

Examples

# Add service chain 100 to security zone zonetest.

<Sysname> system

[Sysname] security-zone name zonetest

[Sysname-security-zone-zonetest] import service-chain path 100

Related commands

display service-chain path (Service Chain Command Reference)

service-chain path (Service Chain Command Reference)

import vlan

Use import vlan to add VLANs to a security zone.

Use undo import vlan to remove VLANs from a security zone.

Syntax

import vlan vlan-list

undo import vlan vlan-list

Default

A security zone does not have VLAN members.

Views

Security zone view

Predefined user roles

network-admin

Parameters

vlan vlan-list: Specifies a list of VLANs. The vlan-list argument must be a space-separated list of up to 10 VLAN items that meet the following requirements:

·     Each item specifies a VLAN by its ID or a range of VLANs in the form of start-VLAN-ID to end-VLAN-ID. The end-VLAN-ID is greater than the start-VLAN-ID.

·     The VLAN IDs are in the range of 1 to 4094.

·     The VLANs already exist.

Usage guidelines

You cannot add a member to system-defined security zone Local. You can add members to the other system-defined security zones.

To add multiple VLANs to a security zone, specify multiple VLANs for this command or execute this command multiple times.

A VLAN can belong to only one security zone. To move a VLAN from one security zone to another security zone, perform the following tasks:

1.     Use the undo import vlan command to remove the VLAN from the current security zone.

2.     Use the import vlan command to add the VLAN to the new security zone.

This command requires the cooperation of inter-VLAN bridge forwarding. After adding VLANs to a security zone, you must create an inter-VLAN bridge instance and add the VLANs to the bridge instance. For more information, see Layer 2 forwarding configuration in Layer 2—LAN Switching Configuration Guide.

Examples

# Add VLAN 3, and VLAN 5 through VLAN 7 to security zone trust.

<Sysname> system-view

[Sysname] security-zone name trust

[Sysname-security-zone-Trust] import vlan 3 5 to 7

security-zone

Use security-zone to create a security zone and enter its view, or enter the view of an existing security zone.

Use undo security-zone to delete a security zone.

Syntax

security-zone name zone-name

undo security-zone name zone-name

Default

Security zones Local, Trust, DMZ, Management, and Untrust exist.

Views

System view

Predefined user roles

network-admin

Parameters

name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. It cannot be any. To include a backward slash (\) or quotation mark (") in the security zone name, you must use the escape character (\).

Usage guidelines

The device provides the following system-defined security zones: Local, Trust, DMZ, Management, and Untrust. The system creates these security zones automatically when one of following events occurs:

·     The first command for creating a security zone is executed.

·     The first command related to creating an interzone policy is executed.

System-defined security zones cannot be deleted.

You can use this command multiple times to create multiple security zones.

Examples

# Create a security zone named zonetest and enter security zone view.

<Sysname> system-view

[Sysname] security-zone name zonetest

[Sysname-security-zone-zonetest]

Related commands

display security-zone

security-zone intra-zone default permit

Use security-zone intra-zone default permit to set the default action to permit for packets exchanged between interfaces in the same security zone.

Use undo security-zone intra-zone default permit to set the default action to deny for packets exchanged between interfaces in the same security zone.

Syntax

security-zone intra-zone default permit

undo security-zone intra-zone default permit

Default

The default action is deny for packets exchanged between interfaces in the same security zone.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The system uses the default action for packets that are exchanged between interfaces in the same security zone in the following situations:

·     A zone pair from the security zone to the security zone itself is not configured.

·     A zone pair from the security zone to the security zone itself is configured, but no interzone policy is applied to the zone pair.

Examples

# Set the default action to permit for packets exchanged between interfaces in the same security zone.

<Sysname> system-view

[Sysname] security-zone intra-zone default permit