Network zone support helps users create a network zone and add multiple IP address and/or MAC addresses, which can then be used in the policy files.
With this new support, you can add a single attribute “source-zone” or “destination-zone” to an entry of a policy file. This entry is then expanded into multiple entries depending upon the number of IP and/or MAC addresses configured in that particular zone. If the zone is added to the policy with the keyword “source-zone,” the attributes that are configured in those particular zones, will be added as either source-address or ethernet-source-address in the policy, whereas, if the network-zone is added as destination-zone, the attributes will be added to the policies as destination-address or ethernet-destination-address.
Once you complete the changes in the zones, and issue a refresh of a specific zone, or all the zones, the policies that have corresponding zones configured as source-zone or destination-zone in their entries will be exapnded, and then refreshed in the hardware.
If you configure a policy such as the following to a port or VLAN through applications such as IdMgr, XNV or CLI:
Policy: test entry e1 { if match all { source-zone zone1 ; } Then { permit ; } }
Upon refreshing the network-zone zone1, the policy will be expanded as below:
entry Cl0:0_10.1.1.1_E1 { if match all { source-address 10.1.1.1 / 32 ; } then { permit ; } } entry Cl0:0_10.1.1.1_E2 { if match all { source-address 10.1.1.1 / 28 ; } then { permit ; } } entry Cl0:0_12.1.1.0_E3 { if match all { source-address 12.1.1.0 / 24 ; } then { permit ; } }
This converted policy will be the one to be applied in the hardware.
Note
When the policy is configured in the network-zone, the zone may or may not have attributes configured with it. In cases where the network-zone does not have any attributes, the policy will be created with entries that do not have the network-zone attribute alone. For example, if you have a policy similar to the following:
Policy: test2 entry e1 { if match all { source-zone zone2 ; protocol udp ; } then { permit ; } } entry e2 { if match all { protocol tcp ; } then { permit ; } }
and the network-zone “zone02” is created but not configured with any attributes, the policy would be as follows:
entry e2 { protocol tcp; } then { permit; } }
Once the network-zone “zone2” is configured with one or more attributes and refreshed, the policy will be updated accordingly. Here the name of the entries that have source-zone or destination-zone will be changed. This is because each entry in the original policy that has a source-zone/destination-zone will be converted to a maximum of eight entries in the new policy.
A single policy can have one or more network-zones configured in it, and can also have the same network-zone in multiple entries with different combinations as other attributes are supported in the policy file. Similarly, the same network-zone can be configured to multiple policies. In cases where the policy has multiple network-zones, and only some of those network-zones are refreshed, the entries that correspond to those network-zones will be refreshed alone, and not the entries that correspond to the other network-zones.
Once a refresh of a network zone is issued, all the policies that have the specified network-zone will be modified, and a refresh for each of those policies will be sent to the hardware. The command will succeed only after getting a success return for all the policies that have this particular network-zone. If one of the policy‘s refresh fails in the hardware, all of the policies that are supposed to refresh will revert to their previous successful state and the command will be rejected.
The configuration or refresh may fail if the attributes in the network zone are not compatible with the attributes in the corresponding entries of the policy. For example, in platforms that do not support wide-key or UDF, a policy entry cannot have Layer 2 attributes and Layer 4 attributes. In this case, if the entry has “protocol tcp,” and a network_zone that has an ethernet source address, the configuration will fail in the hardware.
Note
In the refresh failed case, the content of the policy and the content of the network-zone may go out of sync, as the policy will be reverted back to the last successful state, whereas the network zone will contain the last configured values.
For example, if we have the the network-zone configuration as follows:
create access-list network-zone zone1 configure access-list network-zone zone1 add ipaddress 10.1.1.1/32 configure access-list network-zone zone1 add ipaddress 10.1.1.1/28
and this is refreshed, and has been successfully installed in the hardware, the policy will look like this:
entry Cl0:0_10.1.1.1_E1 { if match all { source-address 10.1.1.1 / 32 ; } then { permit ; } } entry Cl0:0_10.1.1.1_E2 { if match all { source-address 10.1.1.1 / 28 ; } then { permit ; } }
Now, if the user removes 10.1.1.1/28, and adds 10.1.1.1/24 to the network zone as below:
configure access-list network-zone zone1 delete ipaddress 10.1.1.1/28 configure access-list network-zone zone1 add ipaddress 12.1.1.0/24
and then does a refresh network-zone, and for some reason, the policy refresh fails, the policy and the network-zone will look as below:
entry Cl0:0_10.1.1.1_E1 { if match all { source-address 10.1.1.1 / 32 ; } then { permit ; } } entry Cl0:0_10.1.1.1_E2 { if match all { source-address 10.1.1.1 / 28 ; } then { permit ; } } create access-list network-zone zone1 configure access-list network-zone zone1 add ipaddress 10.1.1.1 255.255.255.255 configure access-list network-zone zone1 add ipaddress 12.1.1.0 255.255.255.0