Skip to main content

Posts

Showing posts from September, 2015

Zone Base Firewall Policy - self zone

In my last post I tested some features of ZBFP and how traffic is processed by the firewall and some interfaces are not part of ZBFP configuration. Today I’d like to test ‘self-zone’ because it works a bit different. I’m going to work on a configuration from my last post.


As you remember I created policy for traffic from R2 to R3. I also tested connection from R2 to R4 and it didn’t work (R4 is not a member of any zone) but traffic from R5 to R4 is allowed (both are not members of any zone).

With 'self-zone’ is works a bit different. Let’s do one test:

R2->R1:
R2#ping 2.2.2.1Type escape sequence to abort.Sending5,100-byte ICMP Echos to 2.2.2.1, timeout is2 seconds:!!!!!Success rate is100 percent (5/5), round-trip min/avg/max =64/95/128 ms R2#
R5->R1:
R5#ping 5.5.5.1Type escape sequence to abort.Sending5,100-byte ICMP Echos to 5.5.5.1, timeout is2 seconds:!!!!!Success rate is100 percent (5/5), round-trip min/avg/max =92/122/132 ms R5#
As you see both flows are permitted d…

Zone Base Firewall Policy

ZBFP is a successor of CBAC and it is the most flexible firewall implementation available on IOS. The main idea is to think about zones, not physical interfaces. With CBAC you couldn’t build policy based on flow or direction. For example a policy applied on OUTSIDE interface works the same for traffic to DMZ and to LAN. ZBFP can easily separate these flows and you can have two different rules depending on out interface. Let’s test one scenario:


I’m going to add a policy for traffic from R2 to R3. Only telnet and icmp should be allowed.
First I create a class and policy map:
!class-map type inspect match-any CM-ICMP-TCP match protocol icmp match protocol tcp ! policy-map type inspect PM-ICMP-TCP class type inspect CM-ICMP-TCP inspect classclass-default!
and then zones and a service policy:
! zone security INSIDE zone security OUTSIDE ! zone-pair security INS->OUT source INSIDE destination OUTSIDE service-policy type inspect PM-ICMP-TCP !
Last step is to add interfaces to …