Adding a Zone

IP addresses protected by anti-DDoS devices are identified and grouped by adding a Zone. Then Zone-specific policies can be configured to achieve differentiated and hierarchical defense.

Prerequisites

To add a Zone and associate it with devices, ensure that devices associated with the Zone have been discovered by the ATIC Management center.

Context

The Zones are classified into user-defined Zones, default Zones.

User-Defined Zones

To protect specific IP addresses/address segments, the administrator can manually create user-defined Zones and add the IP addresses/address segments to the user-defined Zones. The anti-DDoS device uses defense policies to provide refined defense for traffic of these IP addresses/address segments.

The type of such Zones is User-Defined.
Default Zones

Each anti-DDoS device can be associated with only one default Zone, which does not have any given IP address. Refined defense can be implemented by the anti-DDoS device on the destination IP addresses except those in User-Defined Zones.

The type of such Zones is Default.

If a network is large or covers multiple areas and each administrator needs to manage one part of the network, you can create multiple Zones and authorize each administrator the permission of managing the corresponding Zone.

Procedure

Choose Defense > Policy Settings > Zone.
On the Zone List page, click .

Set the basic parameters of the Zone. For details, see Table 1.

**Table 1** Zone Basic Information
Parameter	Description	Value
Account	Indicates the Zone account.	The Zone account consists of letters, digits, and underscores (_) and must start with a letter. It can neither be any illegitimate characters such as null and default nor start with sig. It is case insensitive. Its length cannot exceed 32 characters. This parameter cannot be changed during Zone modification.
Type	Indicates the Zone type.	The value can be User-Defined or Default. This parameter cannot be changed during Zone modification.
Name	Indicates the Zone name, as a supplement of Zone account for query convenience.	The Zone name contains a maximum of 64 characters. It cannot contain spaces or any of the following characters: \| \ , < > / : " % * ? & = The value cannot be null.
Contact, Phone, Mobile Phone, Post Code, Industry, Email, Address	Indicates the basic information of the contact person.	-
Description	Indicates the detailed description on the Zone.	Its length cannot exceed 255 characters.

Set the IP address of the user-defined Zone.

NOTE:

This operation can be performed only when a user-defined Zone is added.

On the Create Zone page, click the IP Address tab.
Click .

Create IP addresses. For details on the parameters, see Table 2.

NOTE:

Both IPv4 and IPv6 addresses are applicable.

**Table 2** Creating IP addresses
Parameter	Description	Value
IP Type	Indicates the IP address type.	regular: The IP address belongs to this Zone. exclude: The IP address does not belong to this Zone. For example, if a Zone is a subnet except one IP address, you can configure a subnet whose IP Type is set to regular and an IP address whose IP Type is set to exclude.
Create Mode	Indicates the mode of creating IP addresses.	IP address+Mask: The IP address and mask are entered to create IP addresses. IP address segment: The start and end IP addresses are entered to create IP addresses.

Click OK.
The new IP address is displayed in the IP Address list.
NOTE:
- The IP addresses of different Zones must be mutually exclusive.
- In the IP Address list, you can select an IP address and click to delete the IP address; you can select the check box on the title bar and click to delete all IP addresses.

Click the Devices tab to associate devices with the Zone. Select the check box of an device and click OK.
NOTE:
To divert the traffic destined for a Zone to a specific VPN instance of the device, select the VPN instance in the VPN column.
Click the Policy tab to configure a defense policy and traffic diversion.
1. Configure the protected bandwidth of the Zone.
  The Zone bandwidth refers to the total bandwidth of all IP addresses in the created Zone. It usually appears in operation scenarios and refers to the total bandwidth a carrier offers to its tenants.
  
  The protected bandwidth also provides reference to the alarm severity definition. Various Zones correspond to different bandwidths and alarm severity.
2. Select a defense policy template.
  You can use the default defense policy template or create a defense policy template. For details, see Configuring Policy Templates.
3. Select Packet Capture Task. Then the cleaning device captures the packets discarded due to attacks upon the Zone. This assists in analyzing attack events.
4. Optional: Create a static traffic diversion task.
  In the Traffic Diversion Task List group box, click to create IP addresses whose traffic is to be diverted.
  
  After a static traffic diversion task is delivered, all traffic destined for the IP address is diverted to the cleaning device.
  
  When you specify certain IP addresses or IP address segments for traffic diversion in a protected IP address segment, split the IP address segment and select the subnet after splitting.
  1. Click of the IP address to be split.
  2. On the Splitting Setting page, enter the mask splitting length and click Split.
    
    The mask splitting length ranges from 1+number of mask bits to 8+number of mask bits. For example, the mask of a protected IP address segment is 255.255.0.0. That is, the number of mask bits is 16. In this case, the mask splitting length ranges from 17 to 24.
  3. Selects subnet IP addresses after splitting.
  4. Click OK.
  5. Select a subnet IP address after splitting on the Create Traffic Diversion Task page.
Click OK to complete the Zone adding on ATIC Management center. Click Deploy to deploy the Zone configuration to devices.

Follow-up Procedure

You can view, modify, or delete a Zone by referring to Configuring the Zone.