Filter
Top Products
34-1
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
CHAPTER
34
Zone-Based Policy Firewall
Zone-based policy firewall (also known as “Zone-Policy Firewall” or “ZPF”)
changes the firewall from the older interface-based model to a more flexible, more
easily understood zone-based configuration model. Interfaces are assigned to
zones, and an inspection policy is applied to traffic moving between the zones.
Inter-zone policies offer considerable flexibility and granularity, so different
inspection policies can be applied to multiple host groups connected to the same
router interface.
Firewall policies are configured with the Cisco Common Classification Policy
Language (C3PL), which employs a hierarchical structure to define inspection for
network protocols and the groups of hosts to which the inspection will be applied.
For a good description of how Zone- Based Policy Firewall can be implemented,
read The Zone-Based Policy Firewall Design Guide available on cisco.com by
going to Support > Product Support > Cisco IOS Software > Cisco IOS
Software Releases 12.4 Mainline > Configure > Feature Guides and clicking
Zone-Based Policy Firewall Design Guide. This document may also be available
at the following link:
http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a00
8072c6e3.html
Configuration Task Order
The following task order can be followed to configure a Zone-Based Policy
Firewall:
1. Define zones.
2. Define zone-pairs.