Friday, June 22, 2012

Configuring Cisco ZFW - Cisco Zone Based Firewall

The concept of Cisco Zone Based Firewall (ZFW) is very simple yet can quickly turn into a giant two headed dog if you don't understand how to design it. ZFW basically classifies interfaces into security zones and Intra-zone interfaces can pass traffic freely between each other however traffic between Inter-zone interfaces is restricted by default. A quick example can shed more light on this concept.

Consider the simple topology below and let's get started.

We have 2 zones in this following example and they are LAN Zone and WAN Zone. R2 Fast1/0 and Fast 1/1 will be classified as LAN Zone and since they are in the same zone traffic will be able to freely flow between them. R2 Fast2/0 will be put into WAN Zone and since R2 Fast 1/0 and Fast 1/1 is in a different zone than R2 Fast 2/0 traffic will not be able to flow between them.

A brief overview of the rest of the blogtorial:
  • Configure Interfaces.
  • Test L3 connectivity
  • Create Security Zones.
  • Create Access-lists to match the LAN Subnets. 
  • Create class-maps to classify traffic. 
  • Create policy-maps to match on class-maps. 
  • Create Zone-pair. 
  • Apply policy maps to a Zone-pair. 
  • Apply security zones to interfaces. 
  • Verify and a few show commands
Configure Interfaces

R5 Interface Configuration
R4 Interface Configuration
R2 Interface Configuration

R2 Interface Configuration
R3 Interface Configuration
Configure http and https server on R3 so we can test the connectivity later on in our  lab. 

Create Security Zones

Now that we have configured all of the interfaces, its time to create security zones. The big picture, remember we are trying to create two distinctive security zones. One for LAN and one for WAN. LAN to WAN should only allow specific subnets and protocols and only return traffic should be permitted from WAN to LAN.

Creating 2 zones with descriptions
Create an Access-list to match LAN Subnets

This access-list will be the base of LAN to WAN class-maps to match traffic going from LAN to WAN.
To match both LAN Subnets

Create Class-maps

Class-maps are used to match traffic based on one and/or multiple criteria. In this particular example, I am matching with an 'AND' logic using match-all. Reason being is that I wanted to match on Lan_Subnets AND a certain protocol. Note that there is a match-any which will use an 'OR' logic.

Create Policy-maps

Policy-maps are used in-junction with class-maps and here is where we can either inspect the traffic, police the traffic, drop the traffic and so on. Note that on the LAN2WAN_ICMP I am policing the traffic to 64000 bps or 8000 bytes.

Other options available within the policy-maps.

Create Zone-Pair / Apply policy-map

Zone-pair are basically two security zones tied together with a policy-map. The source and the destination are important because it determines the flow/direction of the traffic.

Assign security zones to interfaces

We are almost done, all we have left to do is assign the interfaces to the appropriate security zones. Recall that R2 Fast 1/0 and Fast1/1 is LAN ZONE and the R2 Fast2/0 is considered to be WAN / External Zone.

At this point we should all be done. Only thing left to do is verify that everything is working as configured/expected.

Verify and show commands

Let's see what happens when you ping from R5 to R3 and R3 to R5. 

Note that the pings from R5 to R3 is fine, however pings from R3 to R5 is not and this is the expected behavior according to our zone-security. Recall that anything initiated from the "outside" is denied since we did not create a zone-pair for WAN2LAN. 


ZFW is flexible in terms of grouping subnets/interfaces together as well matching based on protocols and gives us the ability to get more granular / control.

Please comment/subscribe/+1 if you find this article interesting. ---->

Thank you.



  1. nice blog man!

    how is zbf impacting the router cpu?

    keep up the good work!

    1. Thank you.

      It all depends on how much traffic and what all is configured on the device.

  2. Seems like it would be easier to just use a Cisco dedicated firewall like a PIX or ASA. Can't think of any benefit by using a router accept its a cheaper solution. Good job at explaining it though.

    1. I agree with you .. better way is to just get a dedicated firewall :)

    2. Thanks a lot for the insight on ZFW, helped me a lot. It is still kind of tricky to remember all the steps to follow, but I guess with practice I will be able to overcome that.

      Also, I was just hoping if you could give some more insights on basic QoS in the QoS division of your blog.

      Thanks again.

    3. QOS is such an ocean to talk about .. do you have anything particular in mind?