cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
3
Replies

802.1q with ISR IOS firewall

Anish Chauhan
Level 1
Level 1

Hi

My basic query is whether a dot1q trunk carrying 2 VLANs (guest wireless and corporate LAN) can still be firewalled using the zone based firewall on an IOS firewall on a 1941 ISR.

Here's more background:

It's for a number of branch sites that will have the ISR as the site WAN router and perimeter firewall, corporate access will go via the WAN MPLS HWIC and internet access will go via an ADSL interface.  The concern is the LAN side.  Whilst the 1941 has 2 onboard LAN interfaces, the guest wireless is combined with corporate wireless so LAN access will need to be via a trunk link and so ultimately the two VLANs need to be separated via firewall rules. 

I know that this wouldn't be an issue on the ASA but I'm not sure whether the zone based firewall on the router would be the same.

Does anyone know whether what I'm trying to acheive is possible on the ISR? I'll try and knock up a diagram and upload if that helps.

Thanks, Anish

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Anish,

It will not present any issue at all.

Remember that you split the router into zones, so even if you have more than one subnet or vlan behind an interface you can still apply the right security policies to the zone with no issues at all.

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Anish,

It will not present any issue at all.

Remember that you split the router into zones, so even if you have more than one subnet or vlan behind an interface you can still apply the right security policies to the zone with no issues at all.

Any other question..Sure..Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Super thanks Julio.  It may be a while before I can test it out but thanks for your speedy response to the question.

Best, Anish

Hello Anish,

My pleasure to help,

Let us know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card