ZBF and VRF

Answered Question
Aug 23rd, 2012

Hello, I'v got simple config, like this

ip vrf LINE

rd 65000:1

zone security LINE

interface GigabitEthernet0/1.206

description -=LINE_UPLINK_ISP=-

encapsulation dot1Q 206

ip vrf forwarding LINE

zone-member security LINE

ip address 195.23x.x.182 255.255.255.252

end

interface GigabitEthernet0/1.207

description -=LINE_PA_SPACE=-

encapsulation dot1Q 207

ip vrf forwarding LINE

zone-member security LINE

ip address 195.23x.x.185 255.255.255.248

ip route vrf LINE 0.0.0.0 0.0.0.0 195.239.108.181

No zone-pair for this zone line, no inspection rules configured.

However when user in vlan 207 with address

ip 195.23x.x.186

mask 255.255.255.248

gw 195.23x.x.185

try to connect to Internet, or someone ping from internet to this user, all traffic is denied, when I do

interface GigabitEthernet0/1.207

no zone-member security LINE

interface GigabitEthernet0/1.206

no zone-member security LINE

traffic is passing?

why? I always think that in same zone all traffic allowed

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 7 months ago

Hello,

I have been doing my homework with this threath and as I knew the implementation of Intra-Zone policies has been available since 15.1

Here is what I have found interesting so far:

Intrazone Support in the Zone-Based Firewall Application

Intrazone support allows a zone configuration to include users both inside and outside a network. Intrazone support allows traffic inspection between users belonging to the same zone but different networks. Depending on your release, traffic within a zone was allowed to pass uninspected by default. To configure a zone pair definition with the same zone for source and destination, use the zone-pair security command. This allows the functionality of attaching a policy map and inspecting the traffic within the same zone.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-zone-pol-fw.html#GUID-08BAB3A9-DD8A-4656-A887-A38C1EF13512

So It looks like on the newest version in order to allow traffic from a 2 interfaces on the same zone we need to create an intra-zone policy.

I also found the following from the great website of Packetlife.com

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

In early versions of IOS zone-based firewall, traffic flowing from one interface to another within the same security zone was allowed to pass by default. In recent versions, however, even intra-zone traffic requires a zone pair definition (with a single zone as both the source and destination).

So it will make sense why after I asked you to configure the zone pair it worked

Can you configure an intra-zone pair policy and let me know how it goes

Remember to rate all the helpful posts

Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Julio Carvaja Thu, 08/23/2012 - 11:35

Hello Kras,

Would you mind to take the logs from the ZBFW

-Ip inspect log drop-pkt

Then just try to connect with the ZBFW configuration in place ofcourse and provide me the logs

Regards,

Rate all the helpful posts

Krasnoperov Fri, 08/24/2012 - 01:19

here is the log message with ZBF config in place, I tried to connect via ssh to this host

Aug 24 2012 12:16:27.204 MSK: %FW-6-DROP_PKT: Dropping tcp session 95.16x.x.54:51245 195.23x.x.186:22  due to  policy match failure with ip ident 0

Krasnoperov Fri, 08/24/2012 - 02:34

Also, I want to say that rule for ZBF:

As soon as an interface is assigned to a zone, traffic will only flow to interfaces in the same zone.

Works without VRF just fine, but inside VRF it not works for me.

might be it's an IOS bug for:

(C3900-UNIVERSALK9-M), Version 15.2(1)T1, RELEASE SOFTWARE (fc1)

Julio Carvaja Fri, 08/24/2012 - 09:27

Hello,

And what happens if you leave the VRF setup and you set them on different zones and create an inspection policy to inspect traffic?

Regards,

Julio

Krasnoperov Sat, 08/25/2012 - 06:37

strange thing happens, when I create second zone and create zone-pair policy, put second interface to this zone and back it to same zone LINE it starts work as I expect, now all config that I post works!

why so?

Julio Carvaja Sat, 08/25/2012 - 10:19

Hello Krasnoperov,

At least is good that is currently working, we could try to perform an upgrade to avoid a bug.

Can I have the version you are running to look for a bug because as you have explained the problem, the behavior does not make sense.

Regards,

Julio

Krasnoperov Mon, 08/27/2012 - 00:19

Yep, we have two router with identical IOS and identical behavior

System image file is "flash:c3900-universalk9-mz.SPA.152-1.T1.bin"

Cisco CISCO3945-CHASSIS (revision 1.0) with C3900-SPE150/K9 with 1835264K/261888K

Technology Package License Information for Module:'c3900'

-----------------------------------------------------------------

Technology    Technology-package           Technology-package

              Current       Type           Next reboot

------------------------------------------------------------------

ipbase        ipbasek9      Permanent      ipbasek9

security      securityk9    Permanent      securityk9

uc            None          None           None

data          None          None           None

Correct Answer
Julio Carvaja Mon, 08/27/2012 - 12:40

Hello,

I have been doing my homework with this threath and as I knew the implementation of Intra-Zone policies has been available since 15.1

Here is what I have found interesting so far:

Intrazone Support in the Zone-Based Firewall Application

Intrazone support allows a zone configuration to include users both inside and outside a network. Intrazone support allows traffic inspection between users belonging to the same zone but different networks. Depending on your release, traffic within a zone was allowed to pass uninspected by default. To configure a zone pair definition with the same zone for source and destination, use the zone-pair security command. This allows the functionality of attaching a policy map and inspecting the traffic within the same zone.

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-zone-pol-fw.html#GUID-08BAB3A9-DD8A-4656-A887-A38C1EF13512

So It looks like on the newest version in order to allow traffic from a 2 interfaces on the same zone we need to create an intra-zone policy.

I also found the following from the great website of Packetlife.com

http://packetlife.net/blog/2012/jan/30/ios-zone-based-firewall/

In early versions of IOS zone-based firewall, traffic flowing from one interface to another within the same security zone was allowed to pass by default. In recent versions, however, even intra-zone traffic requires a zone pair definition (with a single zone as both the source and destination).

So it will make sense why after I asked you to configure the zone pair it worked

Can you configure an intra-zone pair policy and let me know how it goes

Remember to rate all the helpful posts

Julio

Krasnoperov Wed, 08/29/2012 - 03:22

thanks, Julio

I made zone pair with a policy which pass traffi (just pass no inspection) something like this

zone-pair security LINE->LINE source LINE destination LINE

and traffic starts passing, so I thiks you're right about new IOS and intra-zone pair relations.

It would be grate if I could change this behaviour to default, where rule was:

As soon as an interface is assigned to a zone, traffic will only flow to interfaces in the same zone.

Is it posible?

Julio Carvaja Wed, 08/29/2012 - 08:25

Hello Krasnoperov,

If you only have a zone-pair for the intra zone traffic then only traffic from the same zone will be allowed so that should do it for you

Regards,

Julio

Rate all the helpful posts

Actions

Login or Register to take actions

This Discussion

Posted August 23, 2012 at 5:27 AM
Stats:
Replies:10 Avg. Rating:5
Views:650 Votes:0
Shares:0
Tags: vrf, zbf
+

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446