↪️
ccie.nyquist.eu
  • Table of Contents
  • Layer 2 Technologies
    • Ethernet Switching
      • L2 Switch Operations
      • Spanning Tree
        • 802.1d – STP
        • 802.1w – RSTP
        • 802.1s – MSTP
      • VTP 101
      • Private VLANs
      • VLANs
      • EtherChannel 101
    • Layer 2 WAN Protocols
      • HDLC
        • HDLC 101
      • PPP
        • PPP 101
        • PPP Authentication - PAP
        • PPP Authentication – CHAP
        • PPP Authentication – EAP
        • PPP Multilink
        • PPPoFR – PPP over Frame Relay
        • PPPoE – PPP over Ethernet
      • Frame Relay
        • Frame Relay 101
        • Frame Relay 102
        • Frame Relay Encapsulations – IETF vs Cisco
        • Multilink Frame Relay
        • Frame Relay Switching
        • Routing over Frame Relay
      • Bridging
        • Bridging on a router
        • MTU 101
    • Wireless
      • Wireless Principles
      • Wireless Implementations
      • Wireless Roaming
      • Wireless Authentication
        • WPA2 PSK
        • WPA2 802.1X
  • IPv4
    • IPv4 Addressing
      • Backup Interfaces
      • FHRP 101
      • DHCP 101
      • DNS 101
      • ARP 101
      • IPv4 101
      • Tunnel Interfaces
        • GRE Tunnels
      • BFD – Bidirectional Forwarding Detection
    • IPv4 Routing
      • How the routing table is built
        • How CEF works
        • Routing Order of Operations
        • NSF – Non Stop Forwarding
      • RIP
        • RIP 101
      • EIGRP
        • EIGRP 101
        • EIGRP Metric
        • More EIGRP Features
      • OSPF
        • OSPF 101
        • OSPF Areas
        • OSPF LSAs
        • OSPF Mechanics
      • IS-IS
        • IS-IS 101
        • IS-IS Mechanics – CLNP
      • BGP
        • BGP 101
        • BGP Attributes
        • More BGP
      • Route Redistribution
      • Policy based Routing
      • PfR 101 – Perfromance Routing
      • ODR
  • IPv6
    • IPv6-101
    • IPv6 Routing
    • Interconnecting IPv6 and IPv4
  • MPLS
    • MPLS 101
    • MPLS L3 VPN
  • Multicast
    • Multicast 101
    • PIM 101
    • IGMP 101
    • Inter Domain Multicast
    • IPv6 Multicast
    • Multicast features on switches
  • Security
    • NAT 101
    • NAT for Overlapping Networks
    • ACLs 101
    • ACLs 102
    • Cisco IOS Firewall
    • Zone Based Firewall
    • AAA 101
    • Controlling CLI Access
    • Control Plane
    • Switch Security
      • Switchport Traffic Control
      • Switchport Port Security
      • DHCP Snooping and DAI
      • 802.1x
      • Switch ACLs
    • IPSec VPN 101
      • IKE / ISAKMP 101
      • IPSEC Crypto Maps 101
      • IPSEC VTI 101
      • DMVPN 101
    • EAP 101
  • Network Services
    • NTP 101
    • HTTP 101
    • File Transfer 101 – TFTP & FTP
    • WCCP 101
  • QoS
    • QoS 101
    • Classification and Marking
    • Congestion Management
      • Legacy Congestion Management
      • SPD – Selective Packet Discard
      • CBWFQ
      • IP RTP Priority
    • Congestion Avoidance – WRED
    • Policing and Shaping
      • CAR 101
    • Compression and LFI
      • Header and Payload Compression
      • LFI for MultiLink PPP
    • Frame Relay QoS
      • Per VC Frame Relay QoS
    • RSVP 101
    • Switching QoS
  • Network Optimization
    • NetFlow 101 – TNF – Traditional NetFlow
    • NetFlow 102 – FNF – Flexible NetFlow
    • IP SLA 101
    • IP Accounting 101
    • Logging 101
    • SNMP and RMON 101
    • Cisco CLI Tips and Tricks
    • AutoInstall
    • Enhanced Object Tracking
    • Troubleshooting 101
    • SPAN, RSPAN, ERSPAN
  • Network Architecture
    • Hierarchical Network Architecture
    • SD Access
    • SD WAN
Powered by GitBook
On this page
  • Basics
  • Configuration
  • Define the Policy
  • Create the zones
  • Add interface to a zone
  • Create Zone Pairs and attach policy

Was this helpful?

  1. Security

Zone Based Firewall

PreviousCisco IOS FirewallNextAAA 101

Last updated 3 years ago

Was this helpful?

Basics

A Zone Based Firewall uses the same inspection engine as CBAC, but works with security zones, not with individual interfaces. A zone groups multiple interfaces together. By default, traffic is allowed between interfaces in the same zone, but is not allowed between interfaces in different zones. You can define zone pairs which are zones that can send traffic to each other. A special zone is automatically created for traffic destined to or generated by the router itself. This special zone called “self” allows traffic to/from it to the other interfaces. Zone Based Policy Firewall uses a syntax similar to

Configuration

Define the Policy

! Create Class 
R(config)# class-map type inspect [mathc-any | match-all] CLASS
R(config-cmap)# match {access-group ACL | protocol PROTOCOL | class-map CHILD-CLASS}
! Create Policy
R(config)# policy-map type inspect POLICY
R(config-pmap)# class type inspect CLASS
! Define action:
R(config-pmap-c)# inspect PARAMETER-MAP
! Enables the CBAC engine
R(config-pmap-c)# police rate CIR burst BC
! Optional, sets policing
R(config-pmap-c)# drop [log]
! Drops the packets
R(config-pmap-c)# pass
! Allows packets to be forwarded
R(config-pmap-c)# urlfilter URL-PARAM-MAP

A parameter map is used to define the parameters of the inspection engine or of the urlfilter engine

! Define the parameter-map for inspection:
R(config)# parameter-map type inspect [PROTOCOL] {PARMETER-MAP | global | default}
! PROTOCOL specific options can be set inside the parameter-map
! > Start defining the Inspection parameters:
R(config-profile)# ?
! Define the parameter-map for URL Filtering:
R(config)# paramter-map type urlfilter URL-PARAM-NAME
! > Start defining the URL filtering params
R(config-profile)# ?

Create the zones

R(config)# zone security ZONE-NAME
R(config-sec-zone)# description DESCRIPTION

Add interface to a zone

R(config-if)# zone-member security ZONE-NAME

Create Zone Pairs and attach policy

R(config)# zone-pair security ZONE-PAIR-NAME source {ZONE|self} destination {ZONE|self}
! Attach policy to zone
R(config-sec-zone-pair)# service-policy type inspect POLICY

Be aware that when you add an interface to a zone, by default, it will drop all traffic that is destined to other zones, unless there is a policy that permits it. One simple mistake is that the policy is only applied on one zone-pair (from interface A to interface B), but no policy is applied on the return direction (from interface B to interface A) This may not be harmful when you use Inspection, because inspected traffic will automatically be allowed on the return path, but if you use just pass, return traffic will be dropped if no service-policy that explicitly allows it is placed on the return path.

MQC used in QoS