This post is intended to explain basic concepts pertaining to intrazone traffic within a Cisco Zone-based Policy Firewal (ZFW) environment. Before we start the discussion itself, it is relevant to emphasize that there have been major changes in the ZFW intrazone behavior since the inception of IOS 15.X.
On IOS 12.X releases, traffic between interfaces belonging to the same zone was allowed to cross the firewall without inspection. More precisely, in this group of releases, it was not even possible to define intrazone ZFW policies.
** Topics for Study:
- Examine the show commands documented in this example.
- Apply L3 restrictions to limit intrazone traffic. Your policy should only allow PING between the 10.10.6.0/24 and 10.10.10.0 subnets, while still permitting NTP from 10.10.6.0/24 to the 10.10.10.200 server.
- What command can be used to display the ZFW policy structure ?
** Related Posts:
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/