Zone-Based Firewall – Concepts (CCIE Notes)


  • Zone-Based firewall may work in conjunction with CBAC but it is not recommended.
  • UDP based trace route is not supported through ICMP inspection.
  • Multicast stateful inspection is not supported.
  • Since ZBFW does not inspect GRE or ESP packets, use ‘pass’ to allow such packets as inspecting them would drop the traffic.


  • Intra-zone traffic is allowed by default, but an intra-zone policy can still be configured to inspect or drop traffic between interfaces in the same zone.
  • Prior to 15.0(1) M, Intra-zone traffic couldn’t be inspected.
  • When interface is a member of a security zone, all ‘transit’ traffic to a different zone is dropped by default.
  • Traffic between a zone and a non-zone interface is always dropped.
  • Interface cannot be a part of a zone and a legacy inspect policy at the same time.
  • Cannot apply ACLs between security zone or zone-pairs. To apply an ACL include them in class-maps and use policy-maps to drop the traffic. The ACLs in this case have to be permissive ACLs.
  • All interfaces in a security zone must belong to the same VRF-instance. Inter-VRF is allowed but it highly depends on other config (for example; routing and route-leaking).

Zone pairs:

  • When traffic is inspected from in-to-out, return traffic is allowed without explicitly allowing it on the return interface.
  • When traffic is passed from in-to-out, return traffic is dropped and has to be explicitly allowed on the return interface.
  • Traffic is also dropped when there are no explicit rule allowing it, unlike CBAC where a protocol which is not inspected is allowed to pass through.

Zones and ACLs:

  • ACLs are processed before the zone-policy
  • Pinholes are not punched for return traffic in interface ACLs.

Class-default Class Map:

This class-map represent all traffic that do not match any of the user-defined classes in a policy. You can define explicit actions for a group of packets that does not match any of the user-defined classes. The default action of the class-default is drop.

Bookmark to follow my CCIE Security v4 journey ->

One thought on “Zone-Based Firewall – Concepts (CCIE Notes)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s