Tag Archives: Cisco

Zone Base Firewall is not hard at all

Cisco has released a Zone Base Firewall in the new Routers. If you have purchase a security license for your router, you can enable the firewall function.
The Zone Base Firewall works differently to the traditional ASA. You can define different interface to different zones. Then setup zone-pairs to define what traffic is allowed between those pairs.
I knew nothing about Cisco zone base firewall until recently I have to help a client to migrate an old PIX into zone base firewall on a new 3900 series router. There were 6 physical interfaces and 12 sub-interfaces (using dot1q trunking) on the routers. As the client required to have a highly secured environment, as a result I have to assign a zone for different interfaces.
If you have worked on Cisco VoIP, you will be familiar with the class based QoS. The way to setup zone base firewall is very similar to setup Class Based Policy for QoS.

Continue reading