Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hi there,

I am new with ZFW and I would appreciate any hints for my network design ;-)

I am trying to do the following:

at the moment, I have a router with about 9 VLANs containing workstation-VLAN, printer-VLAN, notebook-VLAN, testlab-VLAN etc etc...

On each of the VLAN-Subinterfaces on my router I have got an own in-ACL and OUT-ACL (extended) with reflect- and evaluate-statements.

In addition I have two uplink-Interfaces (because of redundancy).

Basically the VLANs should be separated from each other, but the ACLs also contain single permits for services/ports/protocols from one VLAN into another VLAN.

I think, the only solution to implement this in ZFW is, to design 9 different zones for the VLANs and 1 zone for the "outside"-Interfaces.

Then I have to create two class-maps resp. policy-maps for each vlan and also two zone-pair statements (in-out and out-in) for each vlan.

Or is it easier to bundle certain services, create a CMAP out of that and apply a certain ACL contain IP-Adresses from all VLANs doing the same service?

e.g.

class-map type inspect match-all cmap_smtp-allow

match access-group name smtp_allow

match protocol smtp

asr_1001#sh access-lists smtp_allow

Extended IP access list smtp_allow

    10 permit tcp any  host 74.125.39.16     ! smtp.googlemail.com

Do You have any suggestions what does make more sense here?

Thanks,

Stefan

3 ACCEPTED SOLUTIONS

Accepted Solutions

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hello Stefan,

I do not see why the ZBFW feature cannot be implemented here, in fact as you know ZBFW is really flexible so it will adapt to all your company needs.

Just to let you know if you create 9 different zones, you will need to create a zone pair policy for each different vlan pair that need to comunicate between them.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hello Stefan,

That is correct if you have 9 different zones you will need a zone-pair for each vlan communication between different zones, the configuration will be longer but ZBFW it is going to be more flexible and you will have more granularity whit your network enviroment.

Other thing you can do is to place some of the vlans on the same zone so they have communication, Vlans on the same zone can comunicate with each other by default.

So in this case you will definetly need to think about if you are looking something easy to perform or something secure and really flexible.

Hope you have a wonderful day.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hello Stefan,

My pleasure, you will need the Zone-pairs 100%, without them you are not going to have communication between those vlans, that is the whole purpose of ZBFW.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
5 REPLIES

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hello Stefan,

I do not see why the ZBFW feature cannot be implemented here, in fact as you know ZBFW is really flexible so it will adapt to all your company needs.

Just to let you know if you create 9 different zones, you will need to create a zone pair policy for each different vlan pair that need to comunicate between them.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Thank You for Your answer, but that makes it even more complicated...

Let me explain why I am hesitating doing this. For example, I have:

     interface Gi1/0.101

     desc VLAN 1

     ip address 1.1.1.1/24

     ip access-group in-vlan1-filter in

     ip access-group out-vlan1-filter out

     int Gi1/0.102

     desc VLAN2

     ip address 2.2.2.1/24

     ip access-group in-vlan2-filter in

     ip access-group out-vlan2-filter out

     int Gi1/0.103

     desc VLAN3

     ip address 3.3.3.1/24

     ip access-group in-vlan3-filter in

     ip access-group out-vlan3-filter out

=> until now, I had the above named ACLs on each vlan-subinterface, for example:

     ip access-list extended out-vlan2-filter

     permit tcp host 1.1.1.5 host 2.2.2.15 eq 22

     permit udp any             host 2.2.2.50 eq 4500

     permit tcp host 3.3.3.9 host 2.2.2.22 eq 80

     etc...

=> which makes 6 different ACLs in the above case. With ZFW, I need a zone-pair "in-out" and "out-in" for each vlan and additional two zone-pairs for the inter-vlan-communicatio, which makes, in this case, 6 additional zone-pairs (zone-pair "vlan1-vlan2"/"vlan1-vlan3"/"vlan2-vlan1"/"vlan2-vlan3"/"vlan3-vlan1"/"vlan3-vlan2"). So, if I have 9 different VLANs (if my calculation is right), I have 45 different zone-pairs just for inter-vlan-communication.

I just want to ask if there is a easier way  ;-)

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hello Stefan,

That is correct if you have 9 different zones you will need a zone-pair for each vlan communication between different zones, the configuration will be longer but ZBFW it is going to be more flexible and you will have more granularity whit your network enviroment.

Other thing you can do is to place some of the vlans on the same zone so they have communication, Vlans on the same zone can comunicate with each other by default.

So in this case you will definetly need to think about if you are looking something easy to perform or something secure and really flexible.

Hope you have a wonderful day.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hi Julio,

thanks for Your answer, apparently I get it *step by step* ;-)

One last question: what happens if there are only zone-pairs "vlan-in"/"vlan-out" for each vlan and the class-maps in there define the matches out of one "global" ACL for this specific VLAN? From the example above:

     interface Gi0/0

     desc UPLINK

     zone-member security zone_outside

     interface  VLAN 1

     ip address 1.1.1.1/24

     zone-member security zone_vlan1

     int  VLAN2

     ip address 2.2.2.1/24

     zone-member security zone_vlan2

     int VLAN3

     ip address 3.3.3.1/24

     zone-member security zone_vlan3

     class-map type inspect match-any cmap-out_vlan2

     match access-group name out-vlan2-filter

     policy-map type inspect pmap-out_vlan2

     class type inspect cmap-out_vlan2

     inspect

     zone-pair sec zp-out_vlan2 source  zone_outside dest zone_vlan2

     ip access-list extended out-vlan2-filter

     permit tcp host 1.1.1.5 host 2.2.2.15 eq 22     ! comes from zone_vlan1

     permit udp any             host 2.2.2.50 eq 4500 ! comes from zone_outside

     permit tcp host 3.3.3.9 host 2.2.2.22 eq 80     ! comes from zone_vlan3

     etc...

=> so for the other vlans, there are zone pairs "zp-in_vlan1" etc, which allow them to go outside.

Will these requests, for example from vlan1 in direction of vlan2, also arrive, through the way "zone_vlan1 --> zone_outside --> zone_outside --> zone vlan2" ??

Or do I have to create the "inter-vlan-zone-pairs" necessary?

Kind regards,

Stefan

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Hello Stefan,

My pleasure, you will need the Zone-pairs 100%, without them you are not going to have communication between those vlans, that is the whole purpose of ZBFW.

Please rate helpful posts.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1342
Views
0
Helpful
5
Replies
CreatePlease to create content