Security zone configuration example, Network requirements, Configuration procedure – H3C Technologies H3C SecBlade IPS Cards User Manual
Page 71: Table 7-3
7-4
Table 7-3 Configuration items of creating a security zone for OAA enabled interfaces with VLAN
configuration
Item
Description
Name
Specify the name of the security zone.
The Any zone is a reserved security zone for some devices. Support for the
configuration of this zone depends on your device model.
Interface
Assign interfaces to or remove interfaces from the security zone.
If your device serves as an ACFP client, the Available Interfaces field lists the
interfaces of the ACFP server. Otherwise, the Available Interfaces field lists the
interfaces of your device.
VLAN ID
When you try to assign a Layer 2 Ethernet interface to the security zone, you must
associate one or more VLANs with the interface. If you do not specify any VLAN, you
will associate all VLANs with the interface.
You can assign the association between a Layer 2 Ethernet interface and a VLAN to
one security zone only.
The SR6600 IPS card does not support VLAN ID configuration.
Application Mode
Select the application mode (normal or cascaded) of the security zone.
In cascaded mode, policy applications are used based on VLAN IDs. The cascaded
mode is applied to ACFP internal interfaces, whereas the normal mode applies to
other cases.
Security zone configuration task list
Security Zone Configuration Example
Network requirements
As shown in
, the IPS device serves as the network edge device that connects the Intranet to
the Internet. Interface GigabitEthernet 0/0/0 on the IPS device is connected to the Intranet, which is
configured as security zone Internal, and interface GigabitEthernet 0/0/1 is connected to the Extranet,
which is configured as security zone External.
Configure security zones on the IPS device to facilitate network management.
Figure 7-6 Network diagram for the security zone configuration
Configuration procedure
# Configure security zone Internal.