Adding a zone to a VDOM
Grouping interfaces and VLAN subinterfaces into zones simplifies policy creation. You can configure policies for connections to and from a zone, but not between interfaces in a zone.
Zones are VDOM-specific. A zone cannot be moved to a different VDOM. Any interfaces in a zone cannot be used in another zone. To move a zone to a new VDOM requires deleting the current zone and re-creating a zone in the new VDOM.
The following procedure will create a zone called accounting in the client2 VDOM. It will not allow intra-zone traffic, and both port3 and port2 interfaces belong to this zone. This is a method of grouping and isolating traffic over particular interfaces - it is useful for added security and control within a larger network.
To add a zone to a VDOM - web-based manager
1. In Virtual Domains, select the client2 VDOM.
2. Go to System > Network > Interfaces.
3. Select Create New > Zone.
4. Enter the following information and select OK:
Zone Name | accounting |
Block intra-zone traffic | Select |
Interface Members | port3, port2 |
To add a zone to a VDOM - CLI
config vdom
edit client2
config system zone
edit accounting
set interface port3 port2
set intrazone deny
end
end