JNCIS-SEC [Zones]

Here are my notes I have taken while preparing for JNCIS-SEC exam. It may not be useful for everyone as it is for me to remember some of the stuff.

Zones are logical groupings of logical interfaces with a common security requirement.

  • Special interfaces like fxp0,chassis cluster interfaces and em0 interfaces cannot be assigned to a zone.
  • You cannot assign a logical interface to multiple zones or multiple routing instances. In addition, all of a zone’s logical interfaces must be in a single routing instance.
  • A routing instance is a logical routing construct and can contain one or more zones which cannot be shared with other routing instances.

Zone Types:

Zones are subdivided into two categories; user-defined and system-defined. System-defined zones aren’t configurable.
1)  User-defined zones
a) Security (for transit traffic and packets to the device itself)
b) Functional (only for management traffic)
2)  System-Defined
a) Null (not configurable)
To define a security zone named engineering

            [edit]
            root@host# set security zones security-zone engineering 

To define a functional zone (Indeed only possible functional zone is management)
                  [edit]
                  root@host# set security zones functional-zone management
                  root@host#set security zones functional-zone management interfaces ge-0/0/4.0
Adding logical Interface to a zone:
   # set security zones security-zone engineering interfaces ge-0/0/3.0
Without explicit configuration, traffic destined for this interface isn’t allowed. To permit traffic destined to this zone;
    #set security zones security-zone engineering host-inbound-traffic system-services all
To enable protocol destined to a zone, it must be explicitly configured
    #set security zones security-zone engineering protocols ospf
[edit security zones security-zone engineering]
root@host# show 
host-inbound-traffic {
    system-services {
        all;
    }
    protocols {
        ospf;
    }
}
interfaces {
    ge-0/0/3.0;
}
[edit security zones]
root@host# show
functional-zone management {
    interfaces {
        ge-0/0/4.0;
    }
}
host-inbound-traffic can be configured inside an interface in which only the traffic destined to interface not to zone is allowed.
Monitoring Commands
root@host> show security zones engineering 

Security zone: engineering
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes  
  Interfaces bound: 1
  Interfaces:
    ge-0/0/3.0
To display interface zone info
root@host> show interfaces ge-0/0/3.0 extensive
  Logical interface ge-0/0/3.0 (Index 70) (SNMP ifIndex 532) (Generation 150)
    Flags: Device-Down SNMP-Traps Encapsulation: ENET2
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                    0
     Input  packets:                    0
     Output packets:                    0
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: engineering
    Allowed host-inbound traffic : bootp dns ospf dhcp finger ftp tftp
    ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
    rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
    ntp sip
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :                      0
      Multicast packets :                0
      Bytes permitted by policy :        0
      Connections established :          0

You have a feedback?