Enable ZBFW

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Show running-config)
(Related Information)
Line 180: Line 180:
==Related Information==
==Related Information==
[http://www.cisco.com/web/psa/products/index.html Technical Support & Documentation - Cisco Systems]
[http://www.cisco.com/cisco/web/support/index.html Technical Support & Documentation - Cisco Systems]
<!--List links to related information-->
<!--List links to related information-->

Latest revision as of 01:03, 24 June 2010



ZBFW is a feature set of IOSFW where we assign the router interfaces into different zones depending upon the requirement. This way we are applying inspection to the traffic moving between zones not interfaces. While using ZBFW we have more flexibility as compared to CBAC.In CBAC we configure inspection policies with ACL rules to define the IOSFW feature set however these inspection policies and ACL rules are applicable to all the traffic leaving or entering a respective interface of the router. In ZBFW we can use object-groups or ACLS to perform inspection of interested traffic along with class-maps and policy-maps which in turns provide more flexibility as compared to CBAC.Also multiple inspection rules and ACL on several interfaces of router make it more difficult to correlate the policies that will be applied to traffic flow between multiple interfaces as in case of CBAC.

ZBFW offers following features

  • Application inspection
  • Statefull inspection
  • Local URL filtering
  • Transparent firewall

Things to remember about ZBFW

  • The policies configured from one zone to another are unidirectional in nature.
  • By default the traffic flow between the inter-zones is “DENY ALL”.
  • By default the traffic flow to or from “SELF” zone to another zone is “ALLOW ALL” and we can restrict the same with the help of class-maps along with respective actions.
  • By default the traffic flow between the intra-zones is “Allow ALL” and we can’t restrict or apply any kind of inspection to the same.
  • An interface can be assigned to only one security zone.
  • Traffic cannot flow between a zone-member interface and any interface which is not a *zone-member, so that means every interface should be assigned to a zone.
  • We can apply multiple classes along with respective action per zone-pair.

Steps to configure ZBFW

  • Identify and define network zones.
  • Determine the traffic flow between the respective zones.
  • Define class-maps to describe traffic between zones.
  • Associate class-maps with policy-maps to define actions to the respective traffic flow.
  • Set up zone pairs for any policy other than deny all.
  • Assign policy-maps to zone-pairs.
  • Now assign interfaces to zones.
  • The final step would be validate the configuration by passing some interested traffic.


Server—–R1(ZBFW)—-Client Client :- R1 LAN interface:- R1 WAN interface:- Server :-


ZBFW(config)#zone sec out


ZBFW(config)#zone sec in


ZBFW(config)#ip access-list exte insp-traffic

ZBFW(config-ext-nacl)#permit ip any


ZBFW(config)#class-map type inspect match-any insp-traffic

ZBFW(config-cmap)#match access-group name insp-traffic


ZBFW(config)#class-map type inspect match-any insp-traffic-protocol

ZBFW(config-cmap)#match protocol tcp

ZBFW(config-cmap)#match protocol udp

ZBFW(config-cmap)#match protocol icmp


ZBFW(config)#class-map type inspect match-all inspection-outbound

ZBFW(config-cmap)#match class insp-traffic

ZBFW(config-cmap)#match class insp-traffic-protocol


ZBFW(config)#policy-map type inspect outbound

ZBFW(config-pmap)#class inspection-outbound





ZBFW(config)#zone-pair sec in-out source in destination out

ZBFW(config-sec-zone-pair)#service-policy type inspect outbound



ZBFW(config)#int f0/0

ZBFW(config-if)#zone-member security out


ZBFW(config)#int f0/1

ZBFW(config-if)#zone-member security in



Related show Commands

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.

ZBFW#sh policy-map type inspect zone-pair in-out sessions Zone-pair: in-out

 Service-policy inspect : outbound
   Class-map: inspection-outbound (match-all)
     Match: class-map match-any insp-traffic
       Match: access-group name insp-traffic
         4 packets, 135 bytes
         30 second rate 0 bps
     Match: class-map match-any insp-traffic-protocol
       Match: protocol tcp
         1 packets, 28 bytes
         30 second rate 0 bps
       Match: protocol udp
         2 packets, 67 bytes
         30 second rate 0 bps
       Match: protocol icmp
         1 packets, 40 bytes
         30 second rate 0 bps
       Established Sessions
        Session 669F65F4 (>( tcp SIS_OPEN
         Created 00:00:18, Last heard 00:00:13
         Bytes sent (initiator:responder) [45:84]
        Session 669F6064 (>( icmp SIS_OPEN
         Created 00:02:14, Last heard 00:00:00
          ECHO request
         Bytes sent (initiator:responder) [4320:4288]
   Class-map: class-default (match-any)
     Match: any
     Drop (default action)
       1 packets, 219 bytes

Related Information

Technical Support & Documentation - Cisco Systems

Rating: 5.0/5 (4 votes cast)

Personal tools