Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member



I have a router with 2 vrfs on sub interfaces.

Customer requirement dictates that I need to use Cisco ZBF between these vrf 'Zones'.

Customer requirement also dictates I need to allow only one particular packet to traverse this boundary. The packet in question has a specific hex value at a particular byte in the payload.

ZBF does not support deep packet inspection as standard.

I can match the required packet using simple FPM config to match the nth packet from the start of the IP header. When called from a corresponding policy-map and applied to a sub-interface (inbound and outbound) this can restrict all traffic between the zones other than the requires packet type.

FPM effectively meets the customer requirements but for security reasons I'm still required to implement ZBF as well !


I'm struggling to get my head around if there is a way to join these features together to make a more elegant solution. Maybe by nesting a FPM 'access-control' class-map within a ZBF 'inspect' class map and using the ZBF for stateful inspection.

Has anyone ever tried to do something similar?




  • Firewalling