Share this
Features and Functionalities of the Cisco IOS Zone-Based Firewall
by PivIT Global on May 9, 2023 7:14:00 AM
In a typical enterprise deployment, different parts of the network usually represent different departments, floors, buildings, or anything that shares common characteristics.
Since these network parts consist of numerous endpoints and users with the same or similar network demands, such as access to various services, servers, or different network parts, you can apply one policy to filter out traffic coming in or going out.
When using Cisco ASA or Cisco Firepower NGFW firewalls, these appliances allow you to create zones and apply policy enforcement on the traffic exchanged between those.
However, routers by default do not support this approach, and you need a special type of Cisco IOS so that the router can function like a firewall and inspect traffic between the configured zones.
This article will outline the following:
- An overview of the Cisco IOS zone-based firewall.
- An outline of the supported features and benefits it provides.
- An overview of the importance of zones and zones pairs.
- A familiarization with the C3PL configuration language.
- An explanation of configuring zone-based firewall policy on a Cisco router.
Not what you were looking for today? View some of our popular articles:
- A Must-Have Guide - Risk-Free: Protect Against VLAN and STP Attacks
- 4 Steps of Private VLAN Configuration (Back to Basics)
- What Is Public Key Infrastructure and How Important Is It?
Cisco IOS Zone-Based Policy Firewall Overview
The main goal of using a zone-based policy firewall is to separate the network into different zones and apply an inspection policy to traffic exchanged between the zones. These interzone policies provide increased flexibility and granularity, which results in a more optimized way of performing policy-based traffic filtering.
Based on the network design, specific interfaces are added to different zones, allowing you to easily inspect traffic to multiple host groups connected to the same router interface. This way, you can easily translate the traffic movement requirements into policy rules and permit or deny certain traffic moving between the zones (for example, between different departments).
The zone-based policy firewall is configured with the Cisco Common Classification Policy Language, also known as C3PL configuration language. It uses a hierarchical structure to classify different types of traffic and apply appropriate inspection (or other actions) to it when being sent from one zone into another.
Cisco IOS zone-based policy firewall, just like the standard firewalls, act similarly and supports these various features that are not supported on a regular Cisco router by default, among others:
- Stateful inspection.
- Application inspection.
- Transparent firewall.
- URL filtering.
An Introduction to Zones
A zone is a collection of networks that is reachable over a specific set of router interfaces.
Usually, a zone represents a department or a specific part of the network. On a Cisco IOS zone-based policy firewall, you can create as many zones as you need based on the requirements.
Once the zones are configured, you need to define which router interfaces belong to which zone. The rules are straightforward, and one interface can belong to only one zone, while multiple interfaces can be part of the same zone. There is also a type of zone called “self zone” that does not have any interfaces as members.
The default behavior allows unrestricted traffic exchange between interfaces that belong to the same zone while at the same time denying communications between different zones. However, the default rule can be modified based on the requirements, and interzone traffic can be allowed.
As you can notice in the image above, interface Fa0/1 is part of Zone 1, while interfaces Fa0/2 and Fa0/3 belong to Zone 2. By default, communication between Zone 1 and Zone 2 is not allowed, while intrazone traffic exchange in Zone 2 is allowed between interfaces Fa0/2 and Fa03.
________________
Hardware Options For You
Here at PivIT, we know the importance doesn't stop with the device itself. It stretches to what is available today, financing options, and more. We make it easy for you to find the hardware to build your network on your terms.
________________
The Purpose of Zone Pairs
Because the default behavior does not suit the typical traffic exchange requirements in enterprise networks, you need to make additional policy modifications. You can do this by implementing zone pairs on the router.
A zone pair specifies a unidirectional policy between two security zones, and the direction of the allowed traffic communication is indicated by defining a source and destination zone. To allow communication between two zones in both directions, you need to create two zone pairs in which the same zones will be used as a source and destination per zone pair.
When a system-defined self zone is used in a zone pair with an explicitly defined zone, the associated policy applies to traffic destined for the router or originated by the router but never to traffic going through the router.
As you can see in the image above, two zone pairs must be configured so that Zone 1 and Zone 2 can exchange traffic with each other. Zone pair 1 allows communication from Zone 1 to Zone 2, while Zone pair 2 allows communication from Zone 2 to Zone 1.
Creating Policies With C3PL
When zone pairs are configured, traffic still cannot flow from one zone to another. You have to apply a policy on the zone pair by using the C3PL configuration language. It is similar to Modular QoS CLI (MQC) and Modular Policy Framework (MPF). It consists of three parts:
- Class map: Uses various matching criteria, such as access groups and protocols, to identify and classify certain traffic. The match-any or match-all option can be used to process the matching criteria.
- Policy map: Defines actions such as inspect, drop or pass for the traffic matched by the class maps.
- Service policy: Specifies the zone pair where the policy map should be applied. Only one service policy is allowed to be applied to a given zone pair in the direction that is defined by the zone pair.
How to Configure C3PL
The procedure to configure C3PL on Cisco IOS zone-based policy firewall is straightforward and consists of the following steps:
- Define zones.
- Assign interface to zones.
- Define class maps.
- Define policy maps.
- Define zone pairs.
- Apply policy maps to zone pairs.
As you can see in the image above, there is only one zone pair: Zone1_to_Zone2, with Zone1 as a source and Zone2 as a destination. The requirement is to inspect (stateful) the traffic sent from Zone1 to Zone2, which will allow the return traffic while denying all traffic initiated from Zone2 and destined for Zone1 because of the lack of a zone pair allowing that.
You need to configure the following commands on the router so that the requirement is satisfied:
________________
Long lead times getting you down and making deadlines impossible to meet? What if there's a simple solution and more?
- Get a single source for your IT needs.
- Get hardware options to match your budget.
- Get speedy fast lead times.
View PivIT's OneCall Flexible Service Level Agreements to get next-day or 4-hour hardware replacements, or on-site spares. We have a solution for everyone!
________________
Router as a Simple Replacement for a Firewall
Using a firewall in a network is the best option for policy enforcement. However, you will not always have that luxury. This might be a common approach for headquarters but not for small branch offices.
Therefore, using a Cisco IOS zone-based policy firewall will allow you to support various firewall policy filtering features while simultaneously permitting and denying specific traffic being exchanged between different parts of the network according to your needs. Use this guide the next time you need a refresher on this critical process.
Share this
- Configuration Guides (46)
- Cisco Routers (28)
- Switches (26)
- Network Security (22)
- Routing Protocols (21)
- Cisco Switches (19)
- Product Comparisons (19)
- Routers (19)
- Cisco (18)
- Cisco Technical Information (17)
- Firewall (17)
- Network Protocols (17)
- Wireless (17)
- Cisco Security (16)
- Security (15)
- cisco asa (12)
- Cisco Wireless (11)
- Router Protocols (11)
- Servers (11)
- Cisco UCS (9)
- Cisco Catalyst (8)
- Access Control Lists (7)
- Cisco Servers (7)
- Fortinet (7)
- Access Points (6)
- IT Hardware Solutions (6)
- OSPF (6)
- Product Highlight (6)
- Server Comparisons (6)
- Wireless APs (6)
- Arista Networks (5)
- Cisco ASR (5)
- HPE-Aruba Wireless (5)
- Juniper Mist (5)
- OneCall (5)
- Back To Basics (4)
- Cybersecurity (4)
- EIGRP (4)
- HSRP (4)
- Network Management (4)
- SD-WAN (4)
- Switch Comparison (4)
- Aruba Central (3)
- Cisco Telephony (3)
- Cloud Solutions (3)
- DHCP (3)
- DHCP Snooping (3)
- Dell EMC PowerEdge (3)
- Firewall Architecture (3)
- Internet (3)
- Juniper Networks (3)
- Network Accessories (3)
- Network Automation (3)
- OEM Comparison (3)
- Telephony (3)
- Upgrading Network (3)
- aruba (3)
- Cisco NX-OS (2)
- Cisco Nexus (2)
- Dell Servers (2)
- Fortinet NGFWs (2)
- LAN Networks (2)
- Maintenance Renewal (2)
- Network Time Protocol (2)
- Palo Alto NGFWs (2)
- Rapid PVST+ (2)
- Remote Configuration (2)
- Software Defined Networking (2)
- Storage (2)
- WLAN (2)
- fortigate (2)
- Asset Management (1)
- CPU Usage (1)
- Cisco AIR-CT (1)
- Cisco Aironet (1)
- Cisco DNA (1)
- Cisco ISR (1)
- Cisco Supervisor Engines (1)
- Cisco UCS Manager (1)
- Cognitive Campus (1)
- Dell EMC Data Domain (1)
- Edge Switches (1)
- Fabric Extenders (1)
- GRE Tunnel (1)
- HPE BL (1)
- Juniper SRX (1)
- Network Servers (1)
- Nexus Switches (1)
- Nutanix (1)
- Optics (1)
- PowerEdge R740xd (1)
- STP Extension (1)
- Switched Virtual Interface (1)
- TCP (1)
- UCS Fabric Interconnects (1)
- Ways to Save (1)
- hyperconverge (1)
- June 2023 (2)
- May 2023 (5)
- April 2023 (8)
- March 2023 (7)
- February 2023 (5)
- January 2023 (2)
- December 2022 (3)
- November 2022 (3)
- October 2022 (8)
- September 2022 (9)
- August 2022 (9)
- July 2022 (8)
- June 2022 (9)
- May 2022 (5)
- April 2022 (3)
- March 2022 (1)
- February 2022 (2)
- November 2021 (2)
- October 2021 (1)
- September 2021 (2)
- August 2021 (2)
- July 2021 (3)
- June 2021 (2)
- May 2021 (4)
- April 2021 (4)
- March 2021 (2)
- February 2021 (1)
- January 2021 (2)
- December 2020 (2)
- November 2020 (2)
- October 2020 (2)
- September 2020 (2)
- August 2020 (4)
- July 2020 (5)
- June 2020 (4)
- May 2020 (6)
- April 2020 (2)
- March 2020 (1)
- February 2020 (2)
- January 2020 (2)
- December 2019 (1)
- May 2019 (2)
- April 2019 (5)
- February 2019 (1)
- January 2019 (3)
- December 2018 (1)
No Comments Yet
Let us know what you think