cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
557
Views
0
Helpful
2
Replies

Zone Base Firewall Design question

ytlee80
Level 1
Level 1

Hi all,

I am planning to use ZBFW in my network but I face a problem with "extending the legs" for ZBFW. I have two router, Router A  is a L3 switch and is configured with all the IPs, Vlans and current ACL list. Router B will be added to the existing topology and configured with ZBFW. All Traffic is expected to flow through Router B before reaching Router A.

Once I have created the different zone on router B, how can I apply this configuration so that I can control traffic between different vlans in router A??? As the documentation from cisco, as I understand cisco expect all the invidual vlans and zone base configuration should be on the same router and not separate.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

Thank you very much in advance.

Mike.

1 Accepted Solution

Accepted Solutions

Kevin Redmon
Cisco Employee
Cisco Employee

Mike,

I'm slightly confused about the topology based on your description below.  Please confirm if this is indeed your topology:

ClientVlanX -> Router A (L3 Switch) -> Router B (with ZBF) -> Internet

ClientVlanY->

If you trunk the link between Router A and Router B, to include multiple Vlans (ie X and Y), you can configure sub-interfaces on the Router B.  With the sub-interfaces, you can assign each sub-interface to a different zone.  You would then specify different zone policies that define what traffic is allowed between ZoneXY and ZoneYX.

If this doesn't completely answer your question, please provide me more information about your topology and requirements and I'll do what I can assist.

Best Regards,

Kevin

View solution in original post

2 Replies 2

Kevin Redmon
Cisco Employee
Cisco Employee

Mike,

I'm slightly confused about the topology based on your description below.  Please confirm if this is indeed your topology:

ClientVlanX -> Router A (L3 Switch) -> Router B (with ZBF) -> Internet

ClientVlanY->

If you trunk the link between Router A and Router B, to include multiple Vlans (ie X and Y), you can configure sub-interfaces on the Router B.  With the sub-interfaces, you can assign each sub-interface to a different zone.  You would then specify different zone policies that define what traffic is allowed between ZoneXY and ZoneYX.

If this doesn't completely answer your question, please provide me more information about your topology and requirements and I'll do what I can assist.

Best Regards,

Kevin

Hi,

thanks for the insight. i think its the correct way to do it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: