07-12-2013 03:15 AM - edited 03-11-2019 07:11 PM
Hi everyone,
I would like to inquire on how to deploy Cisco 2911 ISR routers to act as Firewall to protect segments of my network. We have more than 10 units of the said router on our branch and i would like to ask on how i can make it a Firewall, it is running on IOS with sec/k9 license.
Hope that anyone can help me with my problem.
Thank you very much in advance
Best Regards,
Jayson Cruz
07-12-2013 04:46 AM
ZBPW (ZFW) is the answer. Cisco docs will help you on how to work with the feature.
07-14-2013 04:34 PM
Hi Andrew,
Thank you for your reply. If it is not too much to ask may i ask for your help in having a copy/link on such cisco documents? I am currently a newbie in the field of firewalling, such as this one Cisco 2911 ISR with sec/k9 license.
Thank you very much and your assistance is very much appreciated.
Best Regards,
Jayson
07-14-2013 06:11 PM
Hi Jason,
Just want to add some links really useful (the one mentioning the self-zone was created by me)
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
https://supportforums.cisco.com/docs/DOC-27487
https://supportforums.cisco.com/docs/DOC-34539
If you speak spanish on the link below there's a blog that talks about ZBFW in detail
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-14-2013 09:46 PM
Hi Julio,
Thank you very much for your support.
Best Regards,
Jayson
Sent from Cisco Technical Support Android App
07-14-2013 11:55 PM
Hello,
Sure, any other question u have?
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-15-2013 02:16 AM
Hello Julio,
Thank you for your answer, I am starting to be enlightened with this topic.
Yes I have another question, may I ask if I need to implement zone pairs when doing zone base firewall between different sites?
Sent from Cisco Technical Support Android App
07-15-2013 08:43 AM
Hello Jason,
No, ZBFW is independent on each site,
So if you decide to implement ZBFW on 2 different site on 2 different routers,
You will need to set the zone-pairs between the interfaces only on the SAME router,
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-15-2013 11:56 AM
Hello my friend Julio,
Thank you for all your inputs, it has been a great learning experience for me. I wonder if zone based firewall can ba configured for HA (high availability) in active active mode.
I just recently found out that the requirement is to configure IOS FW on two routers connected via iBGP with each router has different eBGP peering and redundant to each other.
Oh and by the way, I just try your blog/forum however I can't understand what's written on it since it was not in English, but nonetheless I think it is very much educational.
Best Regards,
Jayson
Sent from Cisco Technical Support Android App
07-15-2013 12:42 PM
Hello Jayson,
Here is a link for the failover cluster for ZBFW (It's supported)
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_zbf/configuration/15-2mt/sec-data-zbf-ha.html
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-15-2013 06:19 PM
Hi Julio,
My apologies, but can I assign different zones to different subinterfaces?
I'm so sorry for causing you so much trouble.
Best regards,
Jayson
Sent from Cisco Technical Support Android App
07-15-2013 08:23 PM
Hello,
Yes, you can,
Do not worry Jayson, Here to help
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-15-2013 08:53 PM
Hello,
What will happen if some of the subinterfaces are not remembered to a zone. Can it still route traffic outside the service provider port configured to be in public zone?
Thank you very much!
Best regards,
Jayson
Sent from Cisco Technical Support Android App
07-16-2013 09:00 AM
Hello,
Traffic from an interface that does not belong to a zone to an interface that belongs to one will not be allowed ( and backwards)
So if you will set the ISP interface into a zone, the sub-interface must be placed into one,
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura
07-22-2013 01:56 PM
Hi Julio,
A good day its me again. My apologies to bother you again. May i ask for your advice regarding the set-up of my IOS Zone-Based Firewall via 2911 routers.
I have 2 2911 beanch routers with bgp peering on a WAN links to reach the branch. On the LAN interface of the said Branch Routers are the LAN segments configured via subinterface command and running HSRP with the other branch router.
How would i implement Zone-Based Firewall with HA without having drops because of asymetric routing. Im sorry since the configuration guide that you have sent me as so many options and configurations that i tend to be confusing on which one is another option and which one is prt of the previous procedure. I hope you could help me with this one as i need to implement it within this week.
Thanks you very much and I'm sorry for bothering you.
Thank you very much!
Jayson
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide