- Table of Contents
-
- 05-Network
- 01-VRF
- 02-Interface
- 03-Interface pairs
- 04-Interface collaboration
- 05-4G
- 06-Security zones
- 07-VLAN
- 08-MAC
- 09-DNS
- 10-ARP
- 11-ND
- 12-GRE
- 13-IPsec
- 14-ADVPN
- 15-L2TP
- 16-SSL VPN
- 17-Routing table
- 18-Static routing
- 19-Policy-based routing
- 20-OSPF
- 21-BGP
- 22-RIP
- 23-IP multicast routing
- 24-PIM
- 25-IGMP
- 26-DHCP
- 27-HTTP
- 28-SSH
- 29-NTP
- 30-FTP
- 31-Telnet
- 32-IP authentication
- 33-IPv4 whitelist
- 34-IPv6 whitelist
- 35-MAC access advanced settings
- 36-MAC authentication
- 37-MAC access silent MAC info
- 38-MAC address whitelist
- 39-Wireless
- Related Documents
-
Title | Size | Download |
---|---|---|
06-Security zones | 26.09 KB |
Introduction
Security zone members
A security zone can include the following types of members:
· Layer 2 interface-VLAN combination
· Layer 3 interface:
¡ Layer 3 Ethernet interface
¡ Layer 3 logical interface, such as a Layer 3 subinterface
Security zone-based packet processing rules
The following table describes how the device handles packets when security zone-based security management is configured:
Packets |
Action |
Packets between an interface that is in a security zone and an interface that is not in any security zone |
Discard. |
Packets between two interfaces that are in the same security zone |
Discard by default. |
Packets between two interfaces that belong to different security zones |
Forward or discard, depending on the matching security control policy. If no policy is applied or the policy does not exist or does not take effect, the packets are discarded. |
Packets between two interfaces that are not in any security zone |
Discard. |
Packets originated from or destined for the device itself |
Forward or discard, depending on the matching object policy. By default, these packets are discarded. |
Restrictions and guidelines
· A Layer 3 interface can be added to only one security zone.
· A Layer 2 interface-VLAN combination can be added to only one security zone.
· If a packet does not match any zone pair between specific security zones, the device searches for the any-to-any zone pair.
¡ If the zone pair exists, the device processes the packet by using the security policies applied to the zone pair.
¡ If the zone pair does not exist, the device discards the packet.
· By default, the device forwards packets between the Management and Local zones.
· For packets between the Management and Local security zones, the device uses only security control policies applied to the zone pairs of the two security zones.