Re: Zone-based Policy Firewalls and Subinterfaces

thralkhan · ‎10-25-2012

I was posed a question and am not sure of the answer.

Can you assigne separate zones to subinterfaces on the same intface with ZPF?

In other words, if I have 3 subinterfaces leaving one physical interface on a router, can I have 3 separate zones?

The rule states that there can be only one zone per interface, but is that physical, virtual, or either?

Thanks

Julio Carvajal · ‎10-25-2012

Hello Dean,

Yes you can setup that ( one zone per sub-interface)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

leonardomachado · ‎02-28-2013

Hi jcarvaja,

I have a similar question, but in another way:

I have 2 sub interface in a single physical interface.

If I set this PHYSICAL interface into a zone, will the zone policies be valid for all sub interfaces? Or do I have to explicitly set each sub interface to the same zone?

Thanks,

Leo.

Andrew Phirsov · ‎02-28-2013

You have to explicitly allocate each subinterface to a certain zone.

shanegmason10227 · ‎11-13-2019

How is that done?

Matt Wilson · ‎11-17-2019

Create your zones:

zone security lan1
zone security lan2
zone security lan3
...

On your sub interfaces:

!
interface GigabitEthernet0/1.1
 zone-member security lan1
!
interface GigabitEthernet0/1.2
 zone-member security lan2
!
interface GigabitEthernet0/1.3
 zone-member security lan3
!
...

Simples!

shanegmason10227 · ‎11-17-2019

Thanks much, appreciate it.

I realise the issue was a limitation with packet tracer. Packet tracert do
not have the zone member command for sub interfaces.

shanegmason10227 · ‎11-13-2019

Can you provide more details or steps into how to achieve this/?