cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2693
Views
10
Helpful
3
Replies

ZBFW Self Zone and Default Zone

UncleJP
Level 1
Level 1

Studying for ENCOR, I ran across the material below. Is it possible to take an interface out of the self zone? I would imagine if you couldn't there would be no use for a default zone. Also, can an interface be in multiple zones?

 

Any input is appreciated

Jason

 

The Self Zone
The self zone is a system-level zone and includes all the routers’ IP addresses. By
default, traffic to and from this zone is permitted to support management (for
example, SSH protocol, SNMP) and control plane (for example, EIGRP, BGP)
functions.
After a policy is applied to the self zone and another security zone, interzone
communication must be explicitly defined.


The Default Zone
The default zone is a system-level zone, and any interface that is not a member of
another security zone is placed in this zone automatically.
When an interface that is not in a security zone sends traffic to an interface that is
in a security zone, the traffic is dropped. Most network engineers assume that a
policy cannot be configured to permit these traffic flows, but it can, if you enable
the default zone. Upon initialization of this zone, any interface not associated to a
security zone is placed in this zone. When the unassigned interfaces are in the
default zone, a policy map can be created between the two security zones.

2 Accepted Solutions

Accepted Solutions

Hi,

The "self" zone only controls traffic destined "to" or "from" one of the routers interfaces, usually for mgmt purposes. All router interfaces are part of the self zone.

 

The other zones are used when controlling traffic "through" the router, i.e. from "inside" zone to "outside" zone. An interface can only be a member of one security zone.

 

HTH

View solution in original post

3 Replies 3

Hi,

The "self" zone only controls traffic destined "to" or "from" one of the routers interfaces, usually for mgmt purposes. All router interfaces are part of the self zone.

 

The other zones are used when controlling traffic "through" the router, i.e. from "inside" zone to "outside" zone. An interface can only be a member of one security zone.

 

HTH

Thank you for the response.

"An interface can only be a member of one security zone."
So, an interface can not be apart of the self zone AND another zone, correct?
Review Cisco Networking for a $25 gift card