ZonesChapterTitleINTERNALUSEONLYZones2©2008JuniperNetworks,Inc.Allrightsreserved.ZoneDefinitionAzoneisacollectionofoneormorenetworksegmentssharingidenticalsecurityrequirements.Togroupnetworksegmentswithinazoneyoumustgrouptheservicesgateway’slogicalinterfaces.TrafficRegulationThroughaServicesGatewayZonesenablenetworksecuritysegregation.Securitypoliciesareappliedbetweenzonestoregulatetrafficthroughtheservicesgateway.Bydefault,allnetworkinterfacesbelongtothesystem-definedNullzone.AlltraffictoorfromtheNullzoneisdropped.Onceinterfacesareassignedtoanon-Nullzone,theycanpassoraccepttraffic.Specialinterfacesincludingthefxp0managementethernetinterface,chassisclusterfabricinterfaces,andinternalsystemem0interfacescannotbeassignedtoazone.INTERNALUSEONLYZones©2008JuniperNetworks,Inc.Allrightsreserved.3Review:PacketFlowRecallthepacketflowthroughaservicesgatewayusingJUNOSsoftware.Specifically,oncethepacketentersaflowmodule,theservicesgatewayexaminesittodeterminewhetheritbelongstoanalreadyestablishedsession.RecallthatJUNOSsoftwarematchesonsixelementsoftrafficinformationtoidentifyasession—sourceIPaddress,destinationIPaddress,sourceportnumber,destinationportnumber,protocolnumber,andasessiontoken.INTERNALUSEONLYZones4©2008JuniperNetworks,Inc.Allrightsreserved.ZonesandInterfaceAssignmentsYoucanassignoneormorelogicalinterfacestoazone.Youcanalsoassignoneormorelogicalinterfacestoaroutinginstance.Youcannotassignalogicalinterfacetomultiplezonesormultipleroutinginstances.Youmustalsoensurethatallofazone’slogicalinterfacesareinasingleroutinginstance.Violatinganyoftheserestrictionsresultsinaconfigurationerrorasshowninthefollowingexamples:[edit]user@host#commitcheck[editsecurityzonessecurity-zonetrust]'interfacesge-0/0/2.0'Interfacege-0/0/2.0alreadyassignedtoanotherzoneerror:configurationcheck-outfailedContinuedonnextpage.INTERNALUSEONLYZones©2008JuniperNetworks,Inc.Allrightsreserved.5ZonesandInterfaceAssignments(contd.)[edit]lab@host#commitcheck[editrouting-instancesAinterface]'ge-0/0/0.0'RTInstance:Interfacege-0/0/0.0alreadyconfiguredunderinstanceB[editrouting-instancesfoo]'interface'Interfacege-0/0/0.0isinmorethanoneroutinginstance(latestA)error:dcd_config_readfailstosetparsingoptionserror:configurationcheck-outfailed[edit]user@host#commitcheck[editsecurityzonessecurity-zoneuntrust]'interfacesge-0/0/2.0'Interfacege-0/0/2.0mustbeinthesameroutinginstanceasotherinterfacesinthezoneerror:configurationcheck-outfailedINTERNALUSEONLYZones6©2008JuniperNetworks,Inc.Allrightsreserved.InstanceTypesJUNOSsoftwareforSRX-seriesservicesgatewayshasfivetypesofroutinginstances:1.Forwarding:Thisroutinginstanceisusedforfilter-basedforwardingapplications.2.Layer2VPN:ThisroutinginstanceisusedforLayer2VPNimplementationsoverMPLSoverIP.3.Nonforwarding:Thisroutinginstanceisusedtoseparateroutingtableinformation.Asingleforwardingtableisstillused.4.VirtualRouter:ThisroutinginstanceisusedforLayer3implementations,enablingtheusertohaveseveralroutingandforwardingtableswithinasinglephysicalrouterorservicesgateway.5.VRF:ThisroutinginstanceisusedforLayer3VPNimplementationsoverMPLSoverIP.ReferencetoVirtualRouterThroughoutthismaterial,referencetoaroutinginstanceimpliesreferencetoaVR.INTERNALUSEONLYZones©2008JuniperNetworks,Inc.Allrightsreserved.7HierarchicalDependenciesTheslidesummarizeslogicalrelationshipsbetweeninterfaces,zones,androutinginstances.Logicalinterfacesareconnectionstospecificsubnets.Zonesarelogicalgroupingsoflogicalinterfaceswithacommonsecurityrequirement,andalogicalinterfacecanbelongtoonlyonezone.Zoneconfigurationcanbeassimpleasatwo-zonesetup,whereallinterfacesconnectedtointernalnetworksareinonezone,andallinterfacesconnectedtotheexternalworldareinadifferentzone.AmorecomplicatedconfigurationmightdivideinterfacesbasedoninternaldepartmentorfunctioninadditiontoexternalandDMZconnections.Aphysicaldevicecanbebrokenupintomultipleroutinginstances.AroutinginstanceisalogicalroutingconstructwithinanSRX-seriesservicesgateway.Eachroutinginstancemaintainsitsownroutingtableandforwardingtable.Aroutinginstancecancontainoneormorezones,whichcannotbesharedwithotherroutinginstances.INTERNALUSEONLYZones8©2008JuniperNetworks,Inc.Allrightsreserved.ZoneTypesThezoneswithinJUNOSsoftwarecanbesubdividedintotwocategories—user-definedandsystem-defined.Youcanconfigureuser-definedzones,butyoucannotconfiguresystem-definedzones.Youcansubdividetheuser-definedcategoryintosecurityandfunctionalzones.Thesystem-definedcategorycanbesubdividedintojunos-globalandNullzones.Wecoveruser-definedandsystem-definedzonesindetailonthenextfewpages.INTERNALUSEONLYZones©2008JuniperNetworks,Inc.Allrightsreserved.9CommonCharacteristicsTwoveryimportantcharacteristicsofuser-definedzonesarethatyoucanconfigurethemandyoucanassigninterfacestothem.Incontrast,system-definedzonesarenotconfigurableandinterfacescannotbeaddedthroughuserconfiguration.TypesofUser-DefinedZonesThetwotypesofuser-definedzonesaresecurityzonesandfunctionalzones.INTERNALUSEONLYZones10©2008JuniperNetworks,Inc.Allrightsreserved.SecurityZonesSecurityzone