Zone Base Firewall Design question

Answered Question
Jun 28th, 2010

Hi all,



I am planning to use ZBFW in my network but I face a problem with "extending the legs" for ZBFW. I have two router, Router A  is a L3 switch and is configured with all the IPs, Vlans and current ACL list. Router B will be added to the existing topology and configured with ZBFW. All Traffic is expected to flow through Router B before reaching Router A.


Once I have created the different zone on router B, how can I apply this configuration so that I can control traffic between different vlans in router A??? As the documentation from cisco, as I understand cisco expect all the invidual vlans and zone base configuration should be on the same router and not separate.


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml


Thank you very much in advance.


Mike.

Correct Answer by Kevin Redmon about 6 years 7 months ago

Mike,


I'm slightly confused about the topology based on your description below.  Please confirm if this is indeed your topology:


ClientVlanX -> Router A (L3 Switch) -> Router B (with ZBF) -> Internet

ClientVlanY->


If you trunk the link between Router A and Router B, to include multiple Vlans (ie X and Y), you can configure sub-interfaces on the Router B.  With the sub-interfaces, you can assign each sub-interface to a different zone.  You would then specify different zone policies that define what traffic is allowed between ZoneXY and ZoneYX.


If this doesn't completely answer your question, please provide me more information about your topology and requirements and I'll do what I can assist.


Best Regards,

Kevin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Kevin Redmon Fri, 07/02/2010 - 10:50

Mike,


I'm slightly confused about the topology based on your description below.  Please confirm if this is indeed your topology:


ClientVlanX -> Router A (L3 Switch) -> Router B (with ZBF) -> Internet

ClientVlanY->


If you trunk the link between Router A and Router B, to include multiple Vlans (ie X and Y), you can configure sub-interfaces on the Router B.  With the sub-interfaces, you can assign each sub-interface to a different zone.  You would then specify different zone policies that define what traffic is allowed between ZoneXY and ZoneYX.


If this doesn't completely answer your question, please provide me more information about your topology and requirements and I'll do what I can assist.


Best Regards,

Kevin

ytlee80 Mon, 07/05/2010 - 20:53

Hi,


thanks for the insight. i think its the correct way to do it.

Actions

This Discussion