Zone Based Firewall Lab Tips

  • Define Zones – zone security WORD . This is where you define the zone. think of it as a container.
zone security IN (unique name)
zone security OUT (unique name)
  • Classify the Traffic – class-map type inspect WORD. Using MQC Logic and Class Maps to classify the traffic
class-map type inspect match-all HTTP (unique name)
 match protocol http
  • Define the Inspect Policy – policy-map type inspect  WORD. Using MQC traffic to specify how to treat the classified traffic. Here we are treating as a CBAC with the INSPECT key word. Other actions can be PASS, DROP etc
policy-map type inspect OUTBOUND_TRAFFIC (unique name)
 class type inspect HTTP (name of class-map above)
  • Associate the Policy to the Zone to a Pair and specify the Service-Policy – Here we are saying what zones will be associated with this ‘security rule’
zone-pair security OUTBOUND (unique name) source IN (name of Zone above ) destination OUT (name of zone above)
 service-policy type inspect OUTBOUND_TRAFFIC (name of Policy-map above)
  • Associate the interfaces to a zone. Here we will specify what interfaces are what members of the zones we have defined.
interface Ethernet1/0
 zone-member security IN

interface Serial1/0
 zone-member security OUT
  • Verification 
show policy-map type inspect zone-pair session  This will show what is hitting the policy and what is defined
show class-map type inspect This will show all the class maps defined
show policy-map type inspect This will show the policy map actions against the class maps

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: