Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
606
Views
0
Helpful
3
Replies

802.1q with ISR IOS firewall

Go to solution
Anish Chauhan
Level 1
Level 1

‎10-16-2012 02:50 PM - edited ‎03-11-2019 05:10 PM

Hi

My basic query is whether a dot1q trunk carrying 2 VLANs (guest wireless and corporate LAN) can still be firewalled using the zone based firewall on an IOS firewall on a 1941 ISR.

Here's more background:

It's for a number of branch sites that will have the ISR as the site WAN router and perimeter firewall, corporate access will go via the WAN MPLS HWIC and internet access will go via an ADSL interface.  The concern is the LAN side.  Whilst the 1941 has 2 onboard LAN interfaces, the guest wireless is combined with corporate wireless so LAN access will need to be via a trunk link and so ultimately the two VLANs need to be separated via firewall rules. 

I know that this wouldn't be an issue on the ASA but I'm not sure whether the zone based firewall on the router would be the same.

Does anyone know whether what I'm trying to acheive is possible on the ISR? I'll try and knock up a diagram and upload if that helps.

Thanks, Anish

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2012 09:02 PM

Hello Anish,

It will not present any issue at all.

Remember that you split the router into zones, so even if you have more than one subnet or vlan behind an interface you can still apply the right security policies to the zone with no issues at all.

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎10-16-2012 09:02 PM

Hello Anish,

It will not present any issue at all.

Remember that you split the router into zones, so even if you have more than one subnet or vlan behind an interface you can still apply the right security policies to the zone with no issues at all.

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Anish Chauhan
Level 1
Level 1
In response to Julio Carvajal

‎10-17-2012 02:16 PM

Super thanks Julio.  It may be a while before I can test it out but thanks for your speedy response to the question.

Best, Anish

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Anish Chauhan

‎10-17-2012 02:20 PM

Hello Anish,

My pleasure to help,

Let us know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card