[Contents] [Prev] [Next] [Index] [Report an Error]

Example: Creating Security Zones

This example shows you how to configure zones and assign interfaces to them. When you configure a security zone, you can specify many of its parameters at the same time.

Requirements

Before you begin:

Configure network interfaces. See the JUNOS Software Interfaces Configuration Guide for Security Devices.

Overview

An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.

Note: By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone.

Configuration

CLI Quick Configuration

To quickly create zones and assign interfaces to them, copy the following commands and paste them into the CLI:


[edit]


set interfaces ge-0/0/1 unit 1 family inet address 10.12.12.1/24


set interfaces ge-0/0/1 unit 1 family inet6 address fa:43::21/96


set security-zone ABC interfaces ge-0/0/1.1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To create zones and assign interfaces to them:

  1. Configure an Ethernet interface and assign an IPv4 address to it.

    [edit]


    user@host# set interfaces ge-0/0/1 unit 1 family inet address 10.12.12.1/24
  2. Configure an Ethernet interface and assign an IPv6 address to it.

    user@host# set interfaces ge-0/0/1 unit 1 family inet6 address fa:43::21/96
  3. Configure a security zone and assign it to an Ethernet interface.

    user@host# set security-zone ABC interfaces ge-0/0/1.1

Results

Confirm your configuration by entering the show security zones security-zone ABC and show interfaces ge-0/0/1 commands from configuration mode. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).


user@host# show security zones security-zone ABC
...
    interfaces {
        ge-0/0/1.1 {
            ...
        }
    }

user@host# show interfaces ge-0/0/1
...
        unit 1 {
        family inet {
            address 10.12.12.1/24;
        }
        family inet6 {
            address fe:43::21/96;
        }
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Troubleshooting with Logs

Purpose

Use these logs to identify any security zone or interface issues.

Action

Enter these show log commands from operational mode.


user@host> show log messages


user@host> show log dcd

Related Topics

[Contents] [Prev] [Next] [Index] [Report an Error]


[an error occurred while processing this directive]