Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
1-13
Overview
Zones
Access Control Zones
The TMS zl Module supports nine access control zones, which have the
following names and intended purposes:
Internal—your private network
External—the Internet or other untrusted networks
DMZ—demilitarized zone; publicly-accessible servers that are logically
located between the private network and the external network
Zone1 through Zone6—any user-defined purpose, as needed
With the exception of the External zone, you can rename the access control
zones according to your needs.
Before the TMS zl Module can filter traffic on a VLAN, you must associate that
VLAN with a zone. When you associate a VLAN with a zone, you specify an IP
address for the TMS zl Module on that VLAN. At this point, the VLAN is
considered a TMSVLAN.
A TMS VLAN can be associated with only one zone at a time. You do not need
to use all of the zones, but you do need to use at least one. You can create up
to 256 VLAN associations.
Each zone should include VLANs that have similar security needs or trust
levels. For example, if your network includes user VLANs 20, 30, and 40 and
server VLAN 10, you could associate VLANs 10, 20, 30, and 40 with the Internal
zone.
The External zone generally includes all of the traffic that originates or
terminates outside of your private network. ProCurve Networking recom-
mends that the TMS VLAN in this zone is the VLAN on which the TMS zl
Module connects to an external router (often its default gateway), since there
are some firewall protections, such as sequence prediction attack, that will
only apply to the External zone when enabled.
You can configure policies that apply to all members of a zone generally, or
you can configure more granular policies that apply only to some of the
members of a zone. For example, if TMS VLANs 20 and 30 are associated with
the same zone, you can create separate access policies for controlling the
traffic to and from each VLAN. Or you could even create policies that apply
to a single IP address in VLAN 20.