Creating a zone policy

To create a zone policy that performs zone-specific actions on selected packets, follow these steps:

Procedure
  1. Enter the policy zone policy-name command from the global configuration context.

    Context: Global configuration

    Syntax:

    
    no policy zonepolicy-name
    

    Defines the name of a service policy and enters the policy configuration context, where policy-name is a text string (64 characters maximum). This name should not be the same as a zone name.

    A zone policy consists of one or more actions that are configured for specific zones.

    No action is performed on packets sent to or from ports in the BYPASS zone. By default, ports are assigned to the BYPASS zone unless you explicitly assign them to a different zone.

  2. To configure the actions that you want to execute on ports associated with a zone, enter one or more class commands from the policy configuration context.

    Context: Policy configuration

    Syntax:

    
    no [seq-number] class zonesource zone name destination zone name action intercept unidirectional
    
    Defines the source and destination zones for packets that must be intercepted and forwarded to the ONE application.
    seq-number

    (Optional) Sequentially orders the class-action statements in a policy configuration. Actions are executed on matching packets in numerical order.

    source zone name

    Defines the source zone for packets that must be intercepted and forwarded to the ONE application.

    destination zone name

    Defines the destination zone for packets that must be intercepted and forwarded to the ONE application.

    action intercept unidirectional

    Defines the action as intercept and the flow of traffic as unidirectional (one-way).

    Default: Class-action statements are numbered in increments of 10, starting at 10.

    The configured actions are executed on packets that arrive on the ports associated with the source zone and are destined for ports associated with the destination zone.

    You cannot configure intercept rules for the BYPASS zone class. As such, traffic to and from the BYPASS zone cannot be intercepted.

  3. Enter the exit command to exit the policy configuration context.
  4. To display a policy configuration, enter the show policy policy-name command.

    To edit a policy configuration, re-enter the policy context (policy command) and modify class-action statements.

Figure 72: Forwarding zone traffic. In the following policy configuration, traffic being sent from the internal zone to the external zone is intercepted, so that it can be forwarded to an application that is running on an HPE AllianceONE Extended Services zl Module.
switch(config)# class zone internal
switch(config-class)# port-list a10-a24
switch(config-class)# exit
switch(config)# class zone external
switch(config-class)# port-list a1-a4
switch(config-class)# exit
switch(config)# policy zone Firewall
switch(policy-config)# class zone internal external action intercept unidirectional
switch(policy-config)# exit