Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Securing a IPVPN Provider Core with Zone Based Firewalls

Morning Chaps,

Currently we are rolling out a new new core network to provide a MPLS IPVPN, Internet Access, DSL services etc, how everything is going well, however I am trying to decide on a security model. I am currently evaluating ZBF for the core network, I was draw to this due to the Zone Self, so we can tightly control traffic destined to the control plane (as receive ACL have been depreciated on the IOS XE Platforms. Now I thought / hoped the ZBF zones information would be carried across the core as a BGP community by default, this appears not to be the case. Please see diagram below:

VRF - ZBF Traffic Flow .jpg

So traffic is currently being dropped, as the core link (core 1 - core 2) is not part of a Zone, I can create a new zone (Zone: Core) and define access across zones.

However I am unsure if ZBF is now suitible  for a MPLS IPVPN provider, what are people thoughts / experiences. 

Core Security Checklist:

1. Define / Secure CPE -> PE traffic

  • ACL - Currently configured
  • Control Plane Protection - Investigate 
  • ZBF - Investigating   

2. Control Plane Policing (Complete)

3. Disable SSH Keyboard (regarding this if anyone know off hand, I have successfully created Public / Private pairs and they work successfully, however the router will still accept keyboard authentication, can this be disabled)?

Regards Neil

Regards Neil
  • WAN Routing and Switching
New Member

Securing a IPVPN Provider Core with Zone Based Firewalls


Regards Neil

Regards Neil
This widget could not be displayed.