- Zone-Based firewall may work in conjunction with CBAC but it is not recommended.
- UDP based trace route is not supported through ICMP inspection.
- Multicast stateful inspection is not supported.
- Since ZBFW does not inspect GRE or ESP packets, use ‘pass’ to allow such packets as inspecting them would drop the traffic.
- Intra-zone traffic is allowed by default, but an intra-zone policy can still be configured to inspect or drop traffic between interfaces in the same zone.
- Prior to 15.0(1) M, Intra-zone traffic couldn’t be inspected.
- When interface is a member of a security zone, all ‘transit’ traffic to a different zone is dropped by default.
- Traffic between a zone and a non-zone interface is always dropped.
- Interface cannot be a part of a zone and a legacy inspect policy at the same time.
- Cannot apply ACLs between security zone or zone-pairs. To apply an ACL include them in class-maps and use policy-maps to drop the traffic. The ACLs in this case have to be permissive ACLs.
- All interfaces in a security zone must belong to the same VRF-instance. Inter-VRF is allowed but it highly depends on other config (for example; routing and route-leaking).
- When traffic is inspected from in-to-out, return traffic is allowed without explicitly allowing it on the return interface.
- When traffic is passed from in-to-out, return traffic is dropped and has to be explicitly allowed on the return interface.
- Traffic is also dropped when there are no explicit rule allowing it, unlike CBAC where a protocol which is not inspected is allowed to pass through.
Zones and ACLs:
- ACLs are processed before the zone-policy
- Pinholes are not punched for return traffic in interface ACLs.
Class-default Class Map:
This class-map represent all traffic that do not match any of the user-defined classes in a policy. You can define explicit actions for a group of packets that does not match any of the user-defined classes. The default action of the class-default is drop.