JNCIS-SEC [Zones]
Here are my notes I have taken while preparing for JNCIS-SEC exam. It may not be useful for everyone as it is for me to remember some of the stuff.
Zones are logical groupings of logical interfaces with a common security requirement.
- Special interfaces like fxp0,chassis cluster interfaces and em0 interfaces cannot be assigned to a zone.
- You cannot assign a logical interface to multiple zones or multiple routing instances. In addition, all of a zone’s logical interfaces must be in a single routing instance.
- A routing instance is a logical routing construct and can contain one or more zones which cannot be shared with other routing instances.
Zone Types:
Zones are subdivided into two categories; user-defined and system-defined. System-defined zones aren’t configurable.
1) User-defined zones
a) Security (for transit traffic and packets to the device itself)
b) Functional (only for management traffic)
2) System-Defined
a) Null (not configurable)
To define a security zone named engineering
[edit]
root@host# set security zones security-zone engineering
To define a functional zone (Indeed only possible functional zone is management)
[edit]
root@host# set security zones functional-zone management
root@host#set security zones functional-zone management interfaces ge-0/0/4.0
Adding logical Interface to a zone:
# set security zones security-zone engineering interfaces ge-0/0/3.0
Without explicit configuration, traffic destined for this interface isn’t allowed. To permit traffic destined to this zone;
#set security zones security-zone engineering host-inbound-traffic system-services all
To enable protocol destined to a zone, it must be explicitly configured
#set security zones security-zone engineering protocols ospf
[edit security zones security-zone engineering]
root@host# show
host-inbound-traffic {
system-services {
all;
}
protocols {
ospf;
}
}
interfaces {
ge-0/0/3.0;
}
[edit security zones]
root@host# show
functional-zone management {
interfaces {
ge-0/0/4.0;
}
}
host-inbound-traffic can be configured inside an interface in which only the traffic destined to interface not to zone is allowed.
Monitoring Commands
root@host> show security zones engineering
Security zone: engineering
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/3.0
To display interface zone info
root@host> show interfaces ge-0/0/3.0 extensive
Logical interface ge-0/0/3.0 (Index 70) (SNMP ifIndex 532) (Generation 150)
Flags: Device-Down SNMP-Traps Encapsulation: ENET2
Traffic statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 0 0 bps
Output bytes : 0 0 bps
Input packets: 0 0 pps
Output packets: 0 0 pps
Security: Zone: engineering
Allowed host-inbound traffic : bootp dns ospf dhcp finger ftp tftp
ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin
rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping
ntp sip
Flow Statistics :
Flow Input statistics :
Self packets : 0
ICMP packets : 0
VPN packets : 0
Multicast packets : 0
Bytes permitted by policy : 0
Connections established : 0
