Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Minimizing Down-time Cut-in of Zone Based Policy Firewall

A client has an existing router to which I need to add ZBF. The design guide below talks about the overall configuration of ZBF. But because this router is so actively used - I can't rough it in. Need to get the downtime down to about a minute.

So - to minimize outage would the order be:

1) Add classmaps,

2) Add policy maps

3) Add zones.

4) Add zone-pairs.

5) Assign interfaces to zones. ??

To "deactivate ZBF" if it doesn't go well...is the fastest way to remove all interfaces from zone membership?

Thanks.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Minimizing Down-time Cut-in of Zone Based Policy Firewall

Hi Michael,

Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.

Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.

Hope that helps.

-Mike

3 REPLIES

Re: Minimizing Down-time Cut-in of Zone Based Policy Firewall

Hi Michael,

Your plan looks good to me. If possible, I would recommend both writing and testing the configuration on a non-production router first. This way, you can work out any quirks in your config and make sure everything works as expected. Once this is done, you can copy the configuration into a text editor and simply paste it into the production router during a brief maintenance window.

Also, you are correct in that the fastest way to "deactivate" ZBFW is to simply remove the interfaces' zone membership.

Hope that helps.

-Mike

New Member

Re: Minimizing Down-time Cut-in of Zone Based Policy Firewall

Mike,

If you remove the interfaces' zone membership, doesn't IOS firewall default to not passing any traffic?

Cisco Employee

Re: Minimizing Down-time Cut-in of Zone Based Policy Firewall

no it doesn't..when you remove zonemembership from interfaces then ZBF is no longer effective for those interfaces, which means any policies applied to ZBF also becomes void for that interface

147
Views
0
Helpful
3
Replies