Interfaces are assigned to zones, and inspection policy is applied to traffic that moves between the zones. Zone-Based Policy Firewall (also known as Zone-Policy Firewall, or ZFW) changes the firewall configuration from the older interface-based model to a more flexible, more easily understood zone-based model. This configuration model limited the granularity of the firewall policies and caused confusion of the proper application of firewall policies, particularly in scenarios when firewall policies must be applied between multiple interfaces. ![]() All traffic passes through that interface received the same inspection policy. Zone-Based Policy OverviewĬisco IOS Classic Firewall stateful inspection (formerly known as Context-Based Access Control, or CBAC) employed an interface-based configuration model, in which a stateful inspection policy was applied to an interface. Neither Cisco IOS ZFW nor Classic Firewall include stateful inspection support for multicast traffic. ![]() ZFW generally improves Cisco IOS performance for most firewall inspection activities. Some Cisco IOS Classic Firewall features and capabilities are not yet supported in a ZFW in Cisco IOS Software Release 12.4(15)T: Post Office Protocol (POP3), Internet Mail Access Protocol (IMAP), Simple Mail Transfer Protocol/Enhanced Simple Mail Transfer Protocol (SMTP/ESMTP)Ĭisco IOS Software Release 12.4(11)T added statistics for easier DoS protection tuning. Nearly all classic Cisco IOS Firewall features implemented before Cisco IOS Software Release 12.4(6)T are supported in the new zone-based policy inspection interface:Ĭisco IOS Software Release 12.4(9)T added ZFW support for per-class session/connection and throughput limits, as well as application inspection and control: This new configuration model offers intuitive policies for multiple-interface routers, increased granularity of firewall policy application, and a default deny-all policy that prohibits traffic between firewall security zones until an explicit policy is applied to allow desirable traffic. Refer to Cisco Technical Tips Conventions for more information on document conventions. If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. This document is not restricted to specific software and hardware versions. There are no specific requirements for this document. This document describes the configuration model for the Cisco IOS® Firewall feature set, Zone-based Policy Firewall (ZFW).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |