Thank you, but it seems that your answer concerns

IOS 12.4, and we use IOS XE: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M),  Version 15.0(1)S1

Please can you confirm that this IOS is also IPv6 ZBF capable? Our basic testing indicates that IPv6 traffic pases without inspection.

We are also not able to find IPv6 ZBF in Cisco feature navigator for IOS XE.

Thank you for quick response.

Our testing leads to another questions:

It seems that ZBF protocol inspection goes only to L4. If we put 'match protocol sip' into class-map, we are able to connect to HTTP server running on port 5060. In the session table we can see this connection as SIP.

We thought that ZBF uses NBAR for application recognition, but now it inspects only L4. Is there any way to enable L7 protocol recognition?

We have Flexibe Packet Inspection license, what is it for?

In QOS class-map is  much more protocols recognized via match protocol command than in class-map type inspect for ZBF. What is the reason for this difference? Are both of them using NBAR?

Thank you for sharing your experiences.

Hi,

SIP ALG and AIC are only supported on the ISR platforms after 12.4(20)T. On the ASR, we currently only support SIP ALG (pinhole creation), and not AIC (application inspection and control). If the protocol is not SIP on port 5060, then the traffic is simply passed as you have observed, but it shouldn't mark the connection as SIP IMO. You may want to open a TAC case on that to have it investigated.

Sorry I don't know the answers to your other questions.

Thanks,

Wen

does the ASR platform support ipv6 Zone Based Firewall now with last IOS XE 15.1(3)S1 ?

thanks ,

Best Regards,

Marc

Hi Marc,

Not yet but its in the pipeline. Next year probably, you can contcat your Cisco accounts Team for more info from the Devs on it.

Varun