topic Turn from reflexive ACLs to Zone-based-Firewall with many VLANs in Network Security

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Stefan Giera — Mon, 11 Mar 2019 21:57:31 GMT

Hi there,

I am new with ZFW and I would appreciate any hints for my network design 😉

I am trying to do the following:

at the moment, I have a router with about 9 VLANs containing workstation-VLAN, printer-VLAN, notebook-VLAN, testlab-VLAN etc etc...

On each of the VLAN-Subinterfaces on my router I have got an own in-ACL and OUT-ACL (extended) with reflect- and evaluate-statements.

In addition I have two uplink-Interfaces (because of redundancy).

Basically the VLANs should be separated from each other, but the ACLs also contain single permits for services/ports/protocols from one VLAN into another VLAN.

I think, the only solution to implement this in ZFW is, to design 9 different zones for the VLANs and 1 zone for the "outside"-Interfaces.

Then I have to create two class-maps resp. policy-maps for each vlan and also two zone-pair statements (in-out and out-in) for each vlan.

Or is it easier to bundle certain services, create a CMAP out of that and apply a certain ACL contain IP-Adresses from all VLANs doing the same service?

e.g.

class-map type inspect match-all cmap_smtp-allow

match access-group name smtp_allow

match protocol smtp

asr_1001#sh access-lists smtp_allow

Extended IP access list smtp_allow

10 permit tcp any host 74.125.39.16 ! smtp.googlemail.com

Do You have any suggestions what does make more sense here?

Thanks,

Stefan

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Julio Carvajal — Wed, 30 Nov 2011 21:26:58 GMT

Hello Stefan,

I do not see why the ZBFW feature cannot be implemented here, in fact as you know ZBFW is really flexible so it will adapt to all your company needs.

Just to let you know if you create 9 different zones, you will need to create a zone pair policy for each different vlan pair that need to comunicate between them.

Please rate helpful posts.

Regards,

Julio

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Stefan Giera — Thu, 01 Dec 2011 05:59:26 GMT

Thank You for Your answer, but that makes it even more complicated...

Let me explain why I am hesitating doing this. For example, I have:

interface Gi1/0.101

desc VLAN 1

ip address 1.1.1.1/24

ip access-group in-vlan1-filter in

ip access-group out-vlan1-filter out

int Gi1/0.102

desc VLAN2

ip address 2.2.2.1/24

ip access-group in-vlan2-filter in

ip access-group out-vlan2-filter out

int Gi1/0.103

desc VLAN3

ip address 3.3.3.1/24

ip access-group in-vlan3-filter in

ip access-group out-vlan3-filter out

=> until now, I had the above named ACLs on each vlan-subinterface, for example:

ip access-list extended out-vlan2-filter

permit tcp host 1.1.1.5 host 2.2.2.15 eq 22

permit udp any host 2.2.2.50 eq 4500

permit tcp host 3.3.3.9 host 2.2.2.22 eq 80

etc...

=> which makes 6 different ACLs in the above case. With ZFW, I need a zone-pair "in-out" and "out-in" for each vlan and additional two zone-pairs for the inter-vlan-communicatio, which makes, in this case, 6 additional zone-pairs (zone-pair "vlan1-vlan2"/"vlan1-vlan3"/"vlan2-vlan1"/"vlan2-vlan3"/"vlan3-vlan1"/"vlan3-vlan2"). So, if I have 9 different VLANs (if my calculation is right), I have 45 different zone-pairs just for inter-vlan-communication.

I just want to ask if there is a easier way 😉

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Julio Carvajal — Thu, 01 Dec 2011 17:28:19 GMT

Hello Stefan,

That is correct if you have 9 different zones you will need a zone-pair for each vlan communication between different zones, the configuration will be longer but ZBFW it is going to be more flexible and you will have more granularity whit your network enviroment.

Other thing you can do is to place some of the vlans on the same zone so they have communication, Vlans on the same zone can comunicate with each other by default.

So in this case you will definetly need to think about if you are looking something easy to perform or something secure and really flexible.

Hope you have a wonderful day.

Regards,

Julio

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Stefan Giera — Thu, 01 Dec 2011 18:02:00 GMT

Hi Julio,

thanks for Your answer, apparently I get it *step by step* 😉

One last question: what happens if there are only zone-pairs "vlan-in"/"vlan-out" for each vlan and the class-maps in there define the matches out of one "global" ACL for this specific VLAN? From the example above:

interface Gi0/0

desc UPLINK

zone-member security zone_outside

interface VLAN 1

ip address 1.1.1.1/24

zone-member security zone_vlan1

int VLAN2

ip address 2.2.2.1/24

zone-member security zone_vlan2

int VLAN3

ip address 3.3.3.1/24

zone-member security zone_vlan3

class-map type inspect match-any cmap-out_vlan2

match access-group name out-vlan2-filter

policy-map type inspect pmap-out_vlan2

class type inspect cmap-out_vlan2

inspect

zone-pair sec zp-out_vlan2 source zone_outside dest zone_vlan2

ip access-list extended out-vlan2-filter

permit tcp host 1.1.1.5 host 2.2.2.15 eq 22 ! comes from zone_vlan1

permit udp any host 2.2.2.50 eq 4500 ! comes from zone_outside

permit tcp host 3.3.3.9 host 2.2.2.22 eq 80 ! comes from zone_vlan3

etc...

=> so for the other vlans, there are zone pairs "zp-in_vlan1" etc, which allow them to go outside.

Will these requests, for example from vlan1 in direction of vlan2, also arrive, through the way "zone_vlan1 --> zone_outside --> zone_outside --> zone vlan2" ??

Or do I have to create the "inter-vlan-zone-pairs" necessary?

Kind regards,

Stefan

Turn from reflexive ACLs to Zone-based-Firewall with many VLANs

Julio Carvajal — Thu, 01 Dec 2011 18:18:58 GMT

Hello Stefan,

My pleasure, you will need the Zone-pairs 100%, without them you are not going to have communication between those vlans, that is the whole purpose of ZBFW.

Please rate helpful posts.

Regards,

Julio