cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2173
Views
10
Helpful
7
Replies
Highlighted
Beginner

Zone-based Policy Firewalls and Subinterfaces

I was posed a question and am not sure of the answer.

Can  you assigne separate zones to subinterfaces on the same intface with ZPF?

In other words, if I have 3 subinterfaces leaving one physical interface on a router, can I have 3 separate zones?

The rule states that there can be only one zone per interface, but is that physical, virtual, or either?

Thanks                  

Everyone's tags (4)
7 REPLIES 7
Highlighted

Zone-based Policy Firewalls and Subinterfaces

Hello Dean,

Yes you can  setup that ( one zone per sub-interface)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Zone-based Policy Firewalls and Subinterfaces

Hi jcarvaja,

I have a similar question, but in another way:

I have 2 sub interface in a single physical interface.

If I set this PHYSICAL interface into a zone, will the zone policies be valid for all sub interfaces? Or do I have to explicitly set each sub interface to the same zone?

Thanks,

Leo.

Highlighted
Rising star

Zone-based Policy Firewalls and Subinterfaces

You have to explicitly allocate each subinterface to a certain zone.

Highlighted

Re: Zone-based Policy Firewalls and Subinterfaces

How is that done?

Highlighted
Beginner

Re: Zone-based Policy Firewalls and Subinterfaces

Create your zones:

zone security lan1
zone security lan2
zone security lan3
...

On your sub interfaces:

!
interface GigabitEthernet0/1.1 zone-member security lan1 ! interface GigabitEthernet0/1.2 zone-member security lan2 ! interface GigabitEthernet0/1.3 zone-member security lan3 ! ...

Simples!

 

 

 

Highlighted

Re: Zone-based Policy Firewalls and Subinterfaces

Thanks much, appreciate it.

I realise the issue was a limitation with packet tracer. Packet tracert do
not have the zone member command for sub interfaces.
Highlighted

Re: Zone-based Policy Firewalls and Subinterfaces

Can you provide more details or steps into how to achieve this/?