Login
- Table of Contents
-
- 19-Security Command Reference
- 00-Preface
- 01-Object group commands
- 02-Keychain commands
- 03-Public key management commands
- 04-PKI commands
- 05-Crypto engine commands
- 06-SSH commands
- 07-SSL commands
- 08-Security zone commands
- 09-Packet filter commands
- 10-ASPF commands
- 11-Security policy commands
- 12-Session management commands
- 13-ARP attack protection commands
- 14-ND attack defense commands
- 15-Attack detection and prevention commands
- 16-mGRE commands
- 17-Connection limit commands
- 18-IP-based attack prevention commands
- 19-IP source guard commands
- 20-uRPF commands
- 21-APR commands
- 22-FIPS commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Security zone commands | 73.35 KB |
Security zone commands
display security-zone
Use display security-zone to display security zone information.
Syntax
display security-zone [ name zone-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays all security zones, including system-defined and user-defined security zones.
Usage guidelines
When displaying all security zones, the command uses the following order:
1. System-defined security zones.
2. User-defined security zones in alphabetical order of security zone names.
Examples
# Display information about security zone myZone.
<Sysname> display security-zone name myZone
Name: myZone
Members:
Service path 2 reversed
GigabitEthernet1/0/1
192.168.1.0 255.255.255.0
1001:1002::0 32
Table 1 Command output
|
Field |
Description |
|
Name |
Security zone name. |
|
Members |
Members in the security zone: · Type and number of a Layer 3 interface. · Address and mask (or mask length) of an IPv4 subnet on the public network. · Address and prefix length of an IPv6 subnet on the public network. If a security zone does not have members, this field displays None. |
import interface
Use import interface to add a Layer 3 interfaces to a security zone.
Use undo import interface to remove Layer 3 interfaces from a security zone.
Syntax
import interface layer3-interface-type layer3-interface-number
undo import interface layer3-interface-type layer3-interface-number
Default
A security zone does not have Layer 3 interface members.
Views
Security zone view
Predefined user roles
network-admin
Parameters
interface layer3-interface-type layer3-interface-number: Specifies a Layer 3 interface by its type and number. Layer 3 interfaces include Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, and other types of Layer 3 logical interfaces.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple Layer 3 interfaces to a security zone, execute this command multiple times.
A Layer 3 interface can belong to only one security zone. To move a Layer 3 interface from one security zone to another security zone, perform the following tasks:
1. Use the undo import interface command to remove the interface from the current security zone.
2. Use the import interface command to add the interface to the new security zone.
Examples
# Add Layer 3 Ethernet interface GigabitEthernet 1/0/1 to security zone Trust.
<Sysname> system-view
[Sysname] security-zone name trust
[Sysname-security-zone-Trust] import interface gigabitethernet 1/0/1
import ip
Use import ip to add an IPv4 subnet to a security zone.
Use undo import ip to remove an IPv4 subnet from a security zone.
Syntax
import ip ip-address { mask-length | mask }
undo import ip ip-address { mask-length | mask }
Default
A security zone does not have IPv4 subnet members.
Views
Security zone view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IPv4 subnet by its subnet address or a host address on the subnet.
mask-length: Specifies the mask length in the range of 0 to 32.
mask: Specifies the subnet mask in dotted decimal notation.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple IPv4 subnets to a security zone, execute this command multiple times.
A subnet can be added to only one security zone.
If one subnet includes another subnet, the system identifies them as different subnets. You can add them to the same security zone or different security zones. If you add them to different security zones, packets that match both subnets are identified as packets of the security zone to which the smaller subnet belongs. For example, you can assign 1.1.1.1/24 and 1.1.2.2/16 to different security zones. A packet with the IP address 1.1.1.3 is identified as a packet of the security zone to which 1.1.1.1/24 belongs.
For a dynamic routing protocol to operate correctly, add the multicast and broadcast addresses used by the protocol to security zones as needed.
Examples
# Add the 192.168.1.0/24 subnet to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ip 192.168.1.0 24
# Add the subnet that is identified by the address 192.168.2.1 and mask 255.255.255.0 to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ip 192.168.2.1 255.255.255.0
import ipv6
Use import ipv6 to add an IPv6 subnet to a security zone.
Use undo import ipv6 to remove an IPv6 subnet from a security zone.
Syntax
import ipv6 ipv6-address prefix-length
undo import ipv6 ipv6-address prefix-length
Default
A security zone does not have IPv6 subnet members.
Views
Security zone view
Predefined user roles
network-admin
Parameters
ip-address: Specifies an IPv6 subnet by its subnet address or a host address on the subnet.
prefix-length: Specifies the prefix length in the range of 1 to 128.
Usage guidelines
You cannot add a member to the system-defined security zone Local. You can add members to the other system-defined security zones.
To add multiple IPv6 subnets to a security zone, execute this command multiple times.
A subnet can be added to only one security zone.
If one subnet includes another subnet, the system identifies them as different subnets. You can add them to the same security zone or different security zones. If you add them to different security zones, packets that match both subnets are identified as packets of the security zone to which the smaller subnet belongs. For example, you can assign 1:1:1::0/48 and 1:1:1::0/32 to different security zones. A packet with the address 1:1:1::2 is identified as a packet of the security zone to which 1:1:1::0/48 belongs.
Examples
# Add IPv6 subnet 1001:1002::0/32 (on the public network) to security zone a.
<Sysname> system-view
[Sysname] security-zone name a
[Sysname-security-zone-a] import ipv6 1001:1002::1 32
security-zone
Use security-zone to create a security zone and enter its view, or enter the view of an existing security zone.
Use undo security-zone to delete a security zone.
Syntax
security-zone name zone-name
undo security-zone name zone-name
Default
Security zones Local, Trust, DMZ, Management, and Untrust exist.
Views
System view
Predefined user roles
network-admin
Parameters
name zone-name: Specifies the security zone name, a case-insensitive string of 1 to 31 characters. It cannot be any. To include a backward slash (\) or quotation mark (") in the security zone name, you must use the escape character (\).
Usage guidelines
The device provides the following system-defined security zones: Local, Trust, DMZ, Management, and Untrust. The system creates these security zones automatically when one of following events occurs:
· The first command for creating a security zone is executed.
· The first command related to creating an interzone policy is executed.
System-defined security zones cannot be deleted.
You can use this command multiple times to create multiple security zones.
Examples
# Create a security zone named zonetest and enter security zone view.
<Sysname> system-view
[Sysname] security-zone name zonetest
[Sysname-security-zone-zonetest]
Related commands
display security-zone
security-zone intra-zone default permit
Use security-zone intra-zone default permit to set the default action to permit for packets exchanged between interfaces in the same security zone.
Use undo security-zone intra-zone default permit to set the default action to deny for packets exchanged between interfaces in the same security zone.
Syntax
security-zone intra-zone default permit
undo security-zone intra-zone default permit
Default
The default action is deny for packets exchanged between interfaces in the same security zone.
Views
System view
Predefined user roles
network-admin
Usage guidelines
The system uses the default action for packets that are exchanged between interfaces in the same security zone in the following situations:
· A zone pair from the security zone to the security zone itself is not configured.
· A zone pair from the security zone to the security zone itself is configured, but no interzone policy is applied to the zone pair.
Examples
# Set the default action to permit for packets exchanged between interfaces in the same security zone.
<Sysname> system-view
[Sysname] security-zone intra-zone default permit
