Académique Documents
Professionnel Documents
Culture Documents
Chapter 3: Zones
© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services
Chapter Objectives
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-2
Agenda: Zones
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-3
What Is a Zone?
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-4
Review: Packet Flow
Focus of this chapter
Forwarding
Flow Module
Session-based SCREEN
D-NAT Route Zones Policy S-NAT Services Session
Options ALG
No First Path
Ingress Egress
Packet Packet
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-5
Hierarchical Dependencies (1 of 2)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-6
Hierarchical Dependencies (2 of 2)
Routing Instance
Zone A Zone B Zone C Zone D
Forwarding Table
Routing Instance 1 Routing Instance 2
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-8
Zone Types
Zone Types
User-defined System-defined
(can be configured) (cannot be configured)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-9
Security Zones
Security zones:
•A collection of one or more network segments requiring the
regulation of inbound and outbound traffic through the use
of policies
•Used by traffic destined for the device itself
•Used by transit traffic
• Intrazone and interzone transit traffic flow require security policies
•No defined default security zones
User-defined
•Cannot share between routing instances (can be configured)
Security Functional
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-10
Functional Zones
User-defined
(can be configured)
Security Functional
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-11
System-Defined Zones
Null Zone
•Unconfigurable
•Every interface belongs to a Null Zone by default
•When you delete an interface from a zone, it goes into the
Null zone pool
•The Junos OS rejects all traffic to and from the interface
belonging to the Null Zone
System-defined
(cannot be configured)
Null
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-12
Factory-Default Zones
Configurable
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-13
Agenda: Zones
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-14
Zone Configuration Procedure
Steps:
•Define a security or a functional zone
•Add logical interfaces to the zone
•Optionally, add services and protocols needing permission
into the device through the interface belonging to the zone
• If you omit this step, the SRX Series device permits no traffic
destined for itself
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-15
Defining a Zone
[edit]
user@host#
or
user@host# set security zones functional-zone management
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-16
Adding Logical Interfaces to the Zone
•Functional zone:
[edit]
user@host# edit security zones
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-17
Local Host Traffic (1 of 3)
SSH
Telnet
Ping
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-18
Local Host Traffic (2 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-19
Local Host Traffic (3 of 3)
Configurational hierarchy
•Can configure the statement under the entire zone stanza:
[edit security zones]
user@host# set security-zone HR host-inbound-traffic system-services all
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-22
Check Your Knowledge (1 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-23
Check Your Knowledge (2 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-24
Check Your Knowledge (3 of 3)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-25
Agenda: Zones
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-26
Monitoring Zones
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-27
Monitoring Traffic Permitted into Interfaces
(1 of 2)
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-28
Monitoring Traffic Permitted into Interfaces
(2 of 2)
Flow output
statistics
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 0
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-29
Summary
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-30
Review Questions
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-31
Lab 1: Configuring and Monitoring Zones
© 2010 Juniper Networks, Inc. All rights reserved. Worldwide Education Services www.juniper.net | 3-32
Worldwide Education Services