EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFConfiguring Zone based Firewall
Configuring Zone based Firewall
Below is the steps defined for CLI.
CLI Configuration Procedure:
Create lists of IP prefixes:
vEdge(config)# policy
vEdge(config-policy)# lists data-prefix-list list-name
vEdge(config-data-prefix-list)# ip-prefix prefix/length
Configure a source zone ,this is a group of VPNs from which data traffic flows.
vEdge(config)# policy zone source-zone-name
vEdge(config-zone)# vpn vpn-id
Configure a destination zone, this is a group of VPNs to which data traffic flows.
vEdge(config)# policy zone destination-zone-name
vEdge(config-zone)# vpn vpn-id
Create a zone-based firewall policy:
vEdge(config)# policy zone-based-policy policy-name
vEdge(config-policy-zone-based-policy)#
Create a series of match–action pair sequences:
vEdge(config-zone-based-policy)# sequence number
vEdge(config-sequence)#
Define match parameters for the data traffic:
vEdge(config-sequence-number)# match match-parameter
Define actions to take when a match occurs:
vEdge(config-sequence)# action drop
vEdge(config-sequence)# action inspect
vEdge(config-sequence)# action log
vEdge(config-sequence)# action pass
Define the default action, when data traffic does not match the conditions:
vEdge(config-policy-name)# default-action (drop | inspect | pass)
If you do not include VPN 0 in any of the zones that you configure in a zone-based firewall, by default, packets are able to reach destination zones that are accessible only over the public internet. You can also disallow this traffic.
vEdge(config)# policy zone-to-no-zone-internet (allow | deny)
Create a zone pair, and define the source and destination zones in that pair and the zone-based firewall policy to apply to the flows between those two zones:
vEdge(config)# policy zone-pair pair-name
vEdge(config-zone-pair)# source-zone source-zone-name
vEdge(config-zone-pair)# destination-zone destination-zone-name
vEdge(config-zone-pair)# zone-policy policy-name
Example 1 isolating two VPNs
Here let see the topology, which describes the following and also defines the flow between different VPNs.
Comment
TABLE OF CONTENTS
- Onboarding & Provisioning Configuring Templates
- Authentication between vSmart & vBond
- Authentication between vSmart Controller
- Authentication between vBond & vEdge Router
- Authentication between vEdge Router & vManage NMS
- Authentication between vSmart Controller & vEdge Router
- Viptela Specific Port Terminology
- Configure vManage & Generate Certificate
- Configure vBond & Generate Certificate
- Configure vSmart & Generate Certificate
- Configure vEdge & Generate Certificate
- Secure DataPlane Bringup
- Control Plane & Data Plane Operation - Unicast Routing Overview
- Configuring OMP & Its attributes
- Configure Unicast Overlay Routing
- Routing Configuration Example
- Segmentation Overview
- Configuring Segmentation
- Segmentation Configuration Example
- Data Traffic across Private WANs
- NAT in SDWAN & Data Encryption
- SD-WAN Viptela Policy Overview
- SD-WAN Centralized & Localized Control Policy Overview
- SD-WAN Centralized & Localized Data Policy
- Application – Aware Routing Overview
- Service Chaining
- Traffic Flow Monitoring
- vEdge Router as NAT Device
- Zone Based Firewalls
- Configuring Application Aware Routing
- Configure Centralized Control Policy
- Configuring Centralized Data Policy
- Configuring Cflowd Traffic Monitoring
- Configuring Zone based Firewall
- Service Chaining Configuration Example
- Configuring Service Side NAT
- Configuring Transport side NAT
RECENT POSTS
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
- Cisco Certification – A Closer Deep-Dive Look
- Cisco DNA-Spaces : Monitoring IOT Network
- Compute in AWS Cloud
LEAVE A COMMENT
Please login here to comment.