| 摘要 |
In one embodiment, a network management module converts zone policies for a network into access sets and access set lists. The network management module can define access sets for a collection of peripheral processing devices that share the same communication restrictions imposed by the zone policies. The network management module can allocate address blocks for each access set such that at least some of the peripheral processing devices in the same access can share a common address prefix. The network management module can define access sets lists such that each access set references an access set list that includes all the peripheral processing devices in the network that can communicate with the peripheral processing devices in the referencing access set. The network management module can apply access sets and access set lists in generating or updating firewall filter rules, and in some embodiments, the access sets can be expressed in terms of the one or more common address prefixes. The conversion of zone policies into access sets and access set lists can, for example, improve the efficiency of zone policy conversion and the optimal state of the firewall filter rules, which can result in reduced disruptions from logins or logouts of peripheral processing devices, and/or faster responses to post-login queries by newly-connected peripheral processing devices concerning the restrictions on its communications.
|
