Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
491
Views
0
Helpful
1
Replies

ZBF: Assign zone to interface via Cisco AV Pair

Steven Mills
Level 1
Level 1

‎09-02-2014 04:29 AM - edited ‎03-12-2019 06:07 PM

Hello,

I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.

I am assigning VRFs like so:

Cisco-AVpair+=ip:vrf-id=<vrf-name>

I have tried assigning a zone with the following configuration but with no luck:

Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>

Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>

I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.

Any help appreciated.

Thanks.

Labels:
0 Helpful
1 Reply 1

Steven Mills
Level 1
Level 1

‎09-04-2014 04:10 AM

For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of

lcp:interface-config=zone security <zonename>

I also had to add:

aaa policy interface-config allow-subinterface

Once I did this it worked a treat.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card