Setting Multiple Interfaces to a Single Zone¶
Operation Confirmed Version: | |
---|---|
Brocade 5600vRouter Version4.2R1S1 |
What is Zone-Base Firewall?
Note
After zone creation, the initial setting rejects communications from other zones unless explicitly accepted. In operation-confirmed setting examples below, explicit settings for acceptance/rejection are made.
Creation of a zone and linkage of multiple interfaces¶
Setting flow
1.Creating zone z1
2.Linking interface dp0s4 with created z1
3.Linking interface dp0s5 with created z2
4.Creating zone z2
5.Linking interface dp0s6 with created z2
6.Linking interface dp0s7 with created z2
Note
Interface can be allocated to only a single zone.
Note
For the interface linked with a zone to use the Zone-Base Firewall function, direct setting of Firewall policy becomes disabled .
Command to be entered with CLI
set security firewall name all_accept default-action 'accept'
set security zone-policy zone z1 interface 'dp0s4'
set security zone-policy zone z1 interface 'dp0s5'
set security zone-policy zone z1 to z2 firewall 'all_accept'
set security zone-policy zone z2 interface 'dp0s6'
set security zone-policy zone z2 interface 'dp0s7'
set security zone-policy zone z2 to z1 firewall 'all_accept'
Note
To apply (commit) while the set configuration is in use, an inter-zone policy needs to be set. For convenience of the description here, all_accept setting for transfer of all communications is put. The application (commit) is not possible unless the inter-zone policy is applied.
security {
firewall {
name all_accept {
default-action accept
}
}
}
zone-policy {
zone z1 {
interface dp0s4
interface dp0s5
to z2 {
firewall all_accept
}
}
zone z2 {
interface dp0s6
interface dp0s7
to z1 {
firewall all_accept
}
}
}
}