Home » ZyXEL Manuals » Networking » ZyXEL UAG4100 » Manual Viewer

ZyXEL UAG4100 User Guide - Page 290

What You Need to Know

Add to My Manuals
Save this manual to your list of manuals

Page 290 highlights

Chapter 25 Security Policy 25.1.2 What You Need to Know Stateful Inspection The UAG uses stateful inspection in its security policies. The UAG restricts access by screening data packets against defined access rules. It also inspects sessions. For example, traffic from one zone is not allowed unless it is initiated by a computer in another zone first. Zones A zone is a group of interfaces. Group the UAG's interfaces into different zones based on your needs. You can configure security policies for data passing between zones or even between interfaces. Default Security Policy Behavior Security policies are grouped based on the direction of travel of packets to which they apply. Here is the default security policy behavior for traffic going through the UAG in various directions. Note: Intra-zone traffic (such as LAN to LAN traffic or WAN to WAN traffic) can also be blocked by the zone configuration. See Section 34.2.1 on page 397 for details. Table 129 Default Security Policy Behavior FROM ZONE TO ZONE From any to Device From LAN1 to any (other than the UAG) From LAN2 to any (other than the UAG) From LAN1 to Device From LAN2 to Device From WAN to Device From any to any BEHAVIOR DHCP traffic from any interface to the UAG is allowed. Traffic from the LAN1 to any of the networks connected to the UAG is allowed. Traffic from the LAN2 to any of the networks connected to the UAG is allowed. Traffic from the LAN1 to the UAG itself is allowed. Traffic from the LAN2 to the UAG itself is allowed. The default services listed in To-Device Rules on page 290 are allowed from the WAN to the UAG itself. All other WAN to UAG traffic is dropped. Traffic that does not match any security policy is dropped. This includes traffic from the WAN to any of the networks behind the UAG. This also includes traffic to or from interfaces that are not assigned to a zone (extra-zone traffic). To-Device Rules Rules with Device as the To Zone apply to traffic going to the UAG itself. By default: • The security policy allows only LAN, or WAN computers to access or manage the UAG. • The UAG allows DHCP traffic from any interface to the UAG. • The UAG drops most packets from the WAN zone to the UAG itself and generates a log except for AH, ESP, GRE, HTTPS, IKE, NATT. When you configure a security policy for packets destined for the UAG itself, make sure it does not conflict with your service control rule. See Chapter 46 on page 486 for more information about UAG Series User's Guide 290

Section	Page
UAG Series	1
Contents Overview	3
Table of Contents	5
Introduction	20
1.1 Overview	20
1.2 Default Zones, Interfaces, and Ports	21
1.3 Management Overview	21
1.4 Web Configurator	22
1.4.1 Web Configurator Access	23
1.4.2 Web Configurator Screens Overview	23
1.4.3 Navigation Panel	26
1.4.4 Tables and Lists	32
1.5 Stopping the UAG	35
Hardware Installation and Connection	36
2.1 Rack-mounting (UAG5100)	36
2.2 Wall Mounting (UAG2100 and UAG4100)	37
2.3 Front Panel	38
2.3.1 Front Panel LEDs	39
2.4 Rear Panel	40
2.4.1 UAG2100 or UAG4100	40
2.4.2 UAG5100	41
Printer Deployment	42
3.1 Overview	42
3.2 Attach the Printer to the UAG	42
3.3 Set up an Internet Connection on the UAG	42
3.4 Allow the UAG to Monitor and Manage the Printer	43
3.5 Turn on Web Authentication on the UAG	46
3.6 Generate a Free Guest Account	47
Installation Setup Wizard	50
4.1 Welcome Screen	50
4.2 Internet Settings	50
4.2.1 Internet Settings: Ethernet	52
4.2.2 Internet Settings: PPPoE	53
4.2.3 Internet Settings: PPTP	54
4.2.4 Internet Settings - Second WAN Interface	55
4.3 Wireless Settings	56
4.3.1 Wireless and Radio Settings	56
4.4 Web Authentication Settings	57
4.5 Printer Settings	58
4.5.1 Printer List and Printout Settings	59
4.6 Billing Settings	59
4.6.1 Billing Profile	60
4.6.2 Account Generator Settings	61
4.7 Free Time Settings	62
4.8 Device Registration	63
Quick Setup Wizards	64
5.1 Quick Setup Overview	64
5.2 WAN Interface Quick Setup	65
5.2.1 Choose an Ethernet Interface	65
5.2.2 Select WAN Type	65
5.2.3 Configure WAN IP Settings	66
5.2.4 ISP and WAN Connection Settings	66
5.2.5 Quick Setup Interface Wizard: Summary	68
5.3 VPN Setup Wizard	70
5.3.1 Welcome	70
5.3.2 VPN Setup Wizard: Wizard Type	71
5.3.3 VPN Express Wizard - Scenario	71
5.3.4 VPN Express Wizard - Configuration	72
5.3.5 VPN Express Wizard - Summary	72
5.3.6 VPN Express Wizard - Finish	73
5.3.7 VPN Advanced Wizard - Scenario	74
5.3.8 VPN Advanced Wizard - Phase 1 Settings	75
5.3.9 VPN Advanced Wizard - Phase 2	76
5.3.10 VPN Advanced Wizard - Summary	77
5.3.11 VPN Advanced Wizard - Finish	78
Dashboard	80
6.1 Overview	80
6.1.1 What You Can Do in this Chapter	80
6.2 The Dashboard Screen	80
6.2.1 The CPU Usage Screen	86
6.2.2 The Memory Usage Screen	86
6.2.3 The Active Sessions Screen	87
6.2.4 The VPN Status Screen	88
6.2.5 The DHCP Table Screen	88
6.2.6 The Number of Login Users Screen	89
Monitor	91
7.1 Overview	91
7.1.1 What You Can Do in this Chapter	91
7.2 The Port Statistics Screen	92
7.2.1 The Port Statistics Graph Screen	93
7.3 The Interface Status Screen	94
7.4 The Traffic Statistics Screen	97
7.5 The Session Monitor Screen	99
7.6 The DDNS Status Screen	101
7.7 The IP/MAC Binding Monitor Screen	101
7.8 The Login Users Screen	102
7.9 The Dynamic Guest Screen	103
7.10 The UPnP Port Status Screen	105
7.11 The USB Storage Screen	106
7.12 The Ethernet Neighbor Screen	107
7.13 The AP List Screen	109
7.13.1 Station Count of AP	110
7.14 The Radio List Screen	112
7.14.1 AP Mode Radio Information	114
7.15 The Station List Screen	115
7.16 Detected Device	116
7.17 The Printer Status Screen	118
7.18 The VPN 1-1 Mapping Status Screen	118
7.18.1 VPN 1-1 Mapping Statistics	119
7.19 The IPSec Monitor Screen	120
7.19.1 Regular Expressions in Searching IPSec SAs	121
7.20 The App Patrol Screen	121
7.21 The Content Filter Screen	123
7.22 The Log Screen	125
7.22.1 View AP Log	127
7.22.2 Dynamic Users Log	129
Licensing	131
8.1 Overview	131
8.1.1 What You Can Do in this Chapter	131
8.1.2 What you Need to Know	131
8.2 Registration Screen	132
8.3 Service Screen	132
8.4 App Patrol Signature Update Screen	133
Wireless	136
9.1 Overview	136
9.1.1 What You Can Do in this Chapter	136
9.1.2 What You Need to Know	136
9.2 Controller Screen	137
9.3 AP Management Screen	137
9.3.1 Edit AP List	139
9.3.2 Port Setting Edit	140
9.3.3 VLAN Add/Edit	141
9.3.4 AP Policy	143
9.4 MON Mode	144
9.4.1 Add/Edit Rogue/Friendly List	145
9.5 Load Balancing	146
9.5.1 Disassociating and Delaying Connections	147
9.6 DCS	148
9.7 Auto Healing	151
9.8 Technical Reference	152
9.8.1 Dynamic Channel Selection	152
9.8.2 Load Balancing	153
Interfaces	154
10.1 Interface Overview	154
10.1.1 What You Can Do in this Chapter	154
10.1.2 What You Need to Know	154
10.2 Port Role Screen	156
10.3 Ethernet Summary Screen	157
10.3.1 Ethernet Edit	159
10.3.2 Object References	165
10.3.3 Add/Edit DHCP Extended Options	166
10.4 PPP Interfaces	168
10.4.1 PPP Interface Summary	169
10.4.2 PPP Interface Add or Edit	170
10.5 VLAN Interfaces	174
10.5.1 VLAN Interface Summary Screen	175
10.5.2 VLAN Interface Add/Edit	176
10.6 Bridge Interfaces	181
10.6.1 Bridge Interface Summary	183
10.6.2 Bridge Interface Add/Edit	184
10.7 Virtual Interfaces	189
10.7.1 Virtual Interfaces Add/Edit	190
10.8 Interface Technical Reference	191
Trunks	195
11.1 Overview	195
11.1.1 What You Can Do in this Chapter	195
11.1.2 What You Need to Know	195
11.2 The Trunk Summary Screen	198
11.2.1 Configuring a User-Defined Trunk	199
11.2.2 Configuring the System Default Trunk	201
Policy and Static Routes	203
12.1 Policy and Static Routes Overview	203
12.1.1 What You Can Do in this Chapter	203
12.1.2 What You Need to Know	203
12.2 Policy Route Screen	205
12.2.1 Policy Route Add/Edit Screen	207
12.3 IP Static Route Screen	211
12.3.1 Static Route Add/Edit Screen	211
12.4 Policy Routing Technical Reference	212
DDNS	214
13.1 DDNS Overview	214
13.1.1 What You Can Do in this Chapter	214
13.1.2 What You Need to Know	214
13.2 The DDNS Screen	215
13.2.1 The Dynamic DNS Add/Edit Screen	216
NAT	219
14.1 NAT Overview	219
14.1.1 What You Can Do in this Chapter	219
14.1.2 What You Need to Know	219
14.2 The NAT Screen	220
14.2.1 The NAT Add/Edit Screen	221
14.3 NAT Technical Reference	224
VPN 1-1 Mapping	226
15.1 VPN 1-1 Mapping Overview	226
15.1.1 What You Can Do in this Chapter	226
15.1.2 What You Need to Know	226
15.2 The VPN 1-1 Mapping General Screen	227
15.2.1 The VPN 1-1 Mapping Edit Screen	228
15.3 The VPN 1-1 Mapping Profile Screen	229
HTTP Redirect	231
16.1 Overview	231
16.1.1 What You Can Do in this Chapter	231
16.1.2 What You Need to Know	231
16.2 The HTTP Redirect Screen	232
16.2.1 The HTTP Redirect Edit Screen	233
SMTP Redirect	235
17.1 Overview	235
17.1.1 What You Can Do in this Chapter	235
17.1.2 What You Need to Know	235
17.2 The SMTP Redirect Screen	236
17.2.1 The SMTP Redirect Edit Screen	237
ALG	239
18.1 ALG Overview	239
18.1.1 What You Can Do in this Chapter	239
18.1.2 What You Need to Know	239
18.1.3 Before You Begin	240
18.2 The ALG Screen	240
UPnP	241
19.1 Overview	241
19.2 What You Need to Know	241
19.2.1 NAT Traversal	241
19.2.2 Cautions with UPnP	242
19.3 UPnP Screen	242
19.4 Technical Reference	243
19.4.1 Using UPnP in Windows XP Example	243
19.4.2 Web Configurator Easy Access	245
IP/MAC Binding	248
20.1 IP/MAC Binding Overview	248
20.1.1 What You Can Do in this Chapter	248
20.1.2 What You Need to Know	248
20.2 IP/MAC Binding Summary	249
20.2.1 IP/MAC Binding Edit	250
20.2.2 Static DHCP Edit	251
20.3 IP/MAC Binding Exempt List	251
Layer 2 Isolation	253
21.1 Overview	253
21.1.1 What You Can Do in this Chapter	253
21.2 Layer-2 Isolation General Screen	254
21.3 White List Screen	254
21.3.1 Add/Edit White List Rule	255
IPnP	257
22.1 Overview	257
22.1.1 What You Can Do in this Chapter	257
22.2 IPnP Screen	258
Web Authentication	259
23.1 Overview	259
23.1.1 What You Can Do in this Chapter	259
23.1.2 What You Need to Know	260
23.2 Web Authentication	260
23.2.1 General Screen	260
23.2.2 User-aware Access Control Example	264
23.2.3 Authentication Type Screen	271
23.2.4 Custom Web Portal / User Agreement File Screen	276
23.3 Walled Garden	277
23.3.1 General Screen	278
23.3.2 URL Base Screen	278
23.3.3 Domain/IP Base Screen	280
23.3.4 Walled Garden Login Example	282
23.4 Advertisement Screen	283
23.4.1 Adding/Editing an Advertisement URL	284
RTLS	286
24.1 Overview	286
24.1.1 What You Can Do in this Chapter	286
24.2 Before You Begin	287
24.3 Configuring RTLS	287
Security Policy	289
25.1 Overview	289
25.1.1 What You Can Do in this Chapter	289
25.1.2 What You Need to Know	290
25.2 Security Policy Control Screen	291
25.2.1 Configuring the Security Policy Control Screen	292
25.2.2 Add/Edit Policy Control Rule	294
25.3 Session Control Screen	296
25.3.1 Add/Edit a Session Limit Rule	298
25.4 Security Policy Configuration Example	299
25.5 Security Policy Example Applications	301
Billing	304
26.1 Overview	304
26.1.1 What You Can Do in this Chapter	304
26.1.2 What You Need to Know	304
26.2 The General Screen	305
26.3 The Billing Profile Screen	307
26.3.1 The Account Generator Screen	308
26.3.2 The Account Redeem Screen	311
26.3.3 The Billing Profile Add/Edit Screen	313
26.4 The Discount Screen	314
26.4.1 The Discount Add/Edit Screen	316
26.5 The Payment Service General Screen	316
26.5.1 The Payment Service Desktop View / Mobile View Screen	318
Printer	322
27.1 Overview	322
27.1.1 What You Can Do in this Chapter	322
27.2 The General Setting Screen	322
27.2.1 Add/Edit Printer Rule	324
27.3 The Printout Configuration Screen	325
27.4 The Printer Manager Screen	326
27.4.1 Edit Printer Manager	327
27.4.2 Reports Overview	328
27.4.3 Key Combinations	328
27.4.4 Daily Account Summary	328
27.4.5 Monthly Account Summary	329
27.4.6 Account Report Notes	330
27.4.7 System Status	330
Free Time	332
28.1 Overview	332
28.1.1 What You Can Do in this Chapter	332
28.2 The Free Time Screen	332
SMS	336
29.1 Overview	336
29.1.1 What You Can Do in this Chapter	336
29.2 The SMS Screen	336
IPSec VPN	338
30.1 Virtual Private Networks (VPN) Overview	338
30.1.1 What You Can Do in this Chapter	338
30.1.2 What You Need to Know	339
30.1.3 Before You Begin	339
30.2 The VPN Connection Screen	340
30.2.1 The VPN Connection Add/Edit Screen	341
30.3 The VPN Gateway Screen	347
30.3.1 The VPN Gateway Add/Edit Screen	348
30.4 IPSec VPN Background Information	354
Bandwidth Management	366
31.1 Overview	366
31.1.1 What You Can Do in this Chapter	366
31.1.2 What You Need to Know	366
31.2 The Bandwidth Management Screen	370
31.2.1 The Bandwidth Management Add/Edit Screen	372
Application Patrol	376
32.1 Overview	376
32.1.1 What You Can Do in this Chapter	376
32.1.2 What You Need to Know	376
32.2 Application Patrol Profile	377
32.2.1 Add/Edit Application Patrol Profile	378
32.2.2 Add/Edit Application Patrol Profile Rule Application	380
Content Filtering	381
33.1 Overview	381
33.1.1 What You Can Do in this Chapter	381
33.1.2 What You Need to Know	381
33.1.3 Before You Begin	382
33.2 Content Filter Profile Screen	383
33.2.1 Add/Edit Content Filter Profile	385
33.3 Content Filter Trusted Web Sites Screen	391
33.4 Content Filter Forbidden Web Sites Screen	392
33.5 Content Filter Technical Reference	393
Zones	395
34.1 Zones Overview	395
34.1.1 What You Can Do in this Chapter	395
34.1.2 What You Need to Know	395
34.2 The Zone Screen	396
34.2.1 Add/Edit Zone	397
User/Group	399
35.1 Overview	399
35.1.1 What You Can Do in this Chapter	399
35.1.2 What You Need To Know	399
35.2 User Summary Screen	401
35.2.1 User Add/Edit Screen	402
35.3 User Group Summary Screen	405
35.3.1 Group Add/Edit Screen	405
35.4 User/Group Setting Screen	406
35.4.1 Default User Settings Edit Screens	409
35.4.2 User Aware Login Example	410
35.5 MAC Address Screen	411
35.5.1 Add/Edit MAC Address	412
35.6 User /Group Technical Reference	413
AP Profile	414
36.1 Overview	414
36.1.1 What You Can Do in this Chapter	414
36.1.2 What You Need To Know	414
36.2 Radio Screen	415
36.2.1 Add/Edit Radio Profile	417
36.3 SSID Screen	420
36.3.1 SSID List	420
36.3.2 Add/Edit SSID Profile	422
36.3.3 Security List	424
36.3.4 Add/Edit Security Profile	425
36.3.5 MAC Filter List	428
36.3.6 Add/Edit MAC Filter Profile	428
MON Profile	430
37.1 Overview	430
37.1.1 What You Can Do in this Chapter	430
37.1.2 What You Need To Know	430
37.2 MON Profile	430
37.2.1 Add/Edit MON Profile	431
37.3 Technical Reference	433
Application	435
38.1 Overview	435
38.1.1 What You Can Do in this Chapter	436
38.2 Application Screen	436
38.2.1 Add Application Rule	437
38.3 Application Group Screen	440
38.3.1 Add Application Group Rule	441
Addresses	442
39.1 Overview	442
39.1.1 What You Can Do in this Chapter	442
39.1.2 What You Need To Know	442
39.2 Address Summary Screen	442
39.2.1 Address Add/Edit Screen	443
39.3 Address Group Summary Screen	444
39.3.1 Address Group Add/Edit Screen	445
Services	447
40.1 Overview	447
40.1.1 What You Can Do in this Chapter	447
40.1.2 What You Need to Know	447
40.2 The Service Summary Screen	448
40.2.1 The Service Add/Edit Screen	449
40.3 The Service Group Summary Screen	450
40.3.1 The Service Group Add/Edit Screen	451
Schedules	453
41.1 Overview	453
41.1.1 What You Can Do in this Chapter	453
41.1.2 What You Need to Know	453
41.2 The Schedule Summary Screen	454
41.2.1 The One-Time Schedule Add/Edit Screen	455
41.2.2 The Recurring Schedule Add/Edit Screen	456
41.3 The Schedule Group Summary Screen	457
41.3.1 The Schedule Group Add/Edit Screen	457
AAA Server	459
42.1 Overview	459
42.1.1 RADIUS Server	459
42.1.2 What You Can Do in this Chapter	459
42.1.3 What You Need To Know	459
42.2 RADIUS Server Summary	460
42.2.1 Adding/Editing a RADIUS Server	460
Authentication Method	464
43.1 Overview	464
43.1.1 What You Can Do in this Chapter	464
43.1.2 Before You Begin	464
43.2 Authentication Method Objects	464
43.2.1 Creating an Authentication Method Object	465
Certificates	467
44.1 Overview	467
44.1.1 What You Can Do in this Chapter	467
44.1.2 What You Need to Know	467
44.1.3 Verifying a Certificate	469
44.2 The My Certificates Screen	470
44.2.1 The My Certificates Add Screen	471
44.2.2 The My Certificates Edit Screen	473
44.2.3 The My Certificates Import Screen	476
44.3 The Trusted Certificates Screen	477
44.3.1 The Trusted Certificates Edit Screen	479
44.3.2 The Trusted Certificates Import Screen	481
ISP Accounts	483
45.1 Overview	483
45.1.1 What You Can Do in this Chapter	483
45.2 ISP Account Summary	483
45.2.1 ISP Account Edit	484
System	486
46.1 Overview	486
46.1.1 What You Can Do in this Chapter	486
46.2 Host Name	487
46.3 USB Storage	487
46.4 Date and Time	488
46.4.1 Pre-defined NTP Time Servers List	491
46.4.2 Time Server Synchronization	491
46.5 Console Port Speed	492
46.6 DNS Overview	493
46.6.1 DNS Server Address Assignment	493
46.6.2 Configuring the DNS Screen	493
46.6.3 Address Record	496
46.6.4 PTR Record	496
46.6.5 Adding an Address/PTR Record	496
46.6.6 CNAME Record	497
46.6.7 Adding a CNAME Record	497
46.6.8 Domain Zone Forwarder	498
46.6.9 Adding a Domain Zone Forwarder	498
46.6.10 MX Record	499
46.6.11 Adding a MX Record	500
46.6.12 Adding a DNS Service Control Rule	500
46.7 WWW Overview	501
46.7.1 Service Access Limitations	501
46.7.2 System Timeout	501
46.7.3 HTTPS	502
46.7.4 Configuring WWW Service Control	502
46.7.5 Service Control Rules	505
46.7.6 Customizing the WWW Login Page	506
46.7.7 HTTPS Example	511
46.8 SSH	518
46.8.1 How SSH Works	519
46.8.2 SSH Implementation on the UAG	520
46.8.3 Requirements for Using SSH	520
46.8.4 Configuring SSH	520
46.8.5 Secure Telnet Using SSH Examples	521
46.9 Telnet	523
46.9.1 Configuring Telnet	523
46.10 FTP	524
46.10.1 Configuring FTP	524
46.11 SNMP	525
46.11.1 Supported MIBs	526
46.11.2 SNMP Traps	527
46.11.3 Configuring SNMP	527
46.12 Authentication Server	528
46.12.1 Add/Edit Trusted RADIUS Client	530
46.13 Language	531
46.14 ZyXEL One Network (ZON) Utility	531
46.14.1 ZyXEL One Network (ZON) System Screen	532
Log and Report	534
47.1 Overview	534
47.1.1 What You Can Do In this Chapter	534
47.2 Email Daily Report	534
47.3 Log Settings Screens	536
47.3.1 Log Settings Summary	537
47.3.2 Edit System Log Settings	538
47.3.3 Edit Log on USB Storage Setting	542
47.3.4 Edit Remote Server Log Settings	543
47.3.5 Log Category Settings Screen	545
File Manager	549
48.1 Overview	549
48.1.1 What You Can Do in this Chapter	549
48.1.2 What you Need to Know	549
48.2 The Configuration File Screen	551

Match case Limit results 1 per page

Chapter 25 Security Policy

UAG Series User’s Guide

290

25.1.2

What You Need to Know

Stateful Inspection

The UAG uses stateful inspection in its security policies. The UAG restricts access by screening data

packets against defined access rules. It also inspects sessions. For example, traffic from one zone is

not allowed unless it is initiated by a computer in another zone first.

Zones

A zone is a group of interfaces. Group the UAG’s interfaces into different zones based on your

needs. You can configure security policies for data passing between zones or even between

interfaces.

Default Security Policy Behavior

Security policies are grouped based on the direction of travel of packets to which they apply. Here is

the default security policy behavior for traffic going through the UAG in various directions.

Note: Intra-zone traffic (such as LAN to LAN traffic or WAN to WAN traffic) can also be

blocked by the zone configuration. See

Section 34.2.1 on page 397

for details.

To-Device Rules

Rules with

Device

as the

To Zone

apply to traffic going to the UAG itself. By default:

•

The security policy allows only LAN, or WAN computers to access or manage the UAG.

•

The UAG allows DHCP traffic from any interface to the UAG.

•

The UAG drops most packets from the WAN zone to the UAG itself and generates a log except for

AH, ESP, GRE, HTTPS, IKE, NATT.

When you configure a security policy for packets destined for the UAG itself, make sure it does not

conflict with your service control rule. See

Chapter 46 on page 486

for more information about

Table 129

Default Security Policy Behavior

FROM ZONE TO ZONE

BEHAVIOR

From any to Device

DHCP traffic from any interface to the UAG is allowed.

From LAN1 to any (other than

the UAG)

Traffic from the LAN1 to any of the networks connected to the UAG is allowed.

From LAN2 to any (other than

the UAG)

Traffic from the LAN2 to any of the networks connected to the UAG is allowed.

From LAN1 to Device

Traffic from the LAN1 to the UAG itself is allowed.

From LAN2 to Device

Traffic from the LAN2 to the UAG itself is allowed.

From WAN to Device

The default services listed in

To-Device Rules on page 290

are allowed from

the WAN to the UAG itself. All other WAN to UAG traffic is dropped.

From any to any

Traffic that does not match any security policy is dropped. This includes traffic

from the WAN to any of the networks behind the UAG.

This also includes traffic to or from interfaces that are not assigned to a zone

(extra-zone traffic).