cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1625
Views
0
Helpful
2
Replies

Zone-member security Question?

csc010627097
Level 1
Level 1

Hi guys, If I configure on my router some sub-interfaces (let's say G0/0.2, g0/0.3, etc) and they belong to my inside network where should I apply the zone-member secury inside command? On the G0/0 or on each sub-interface that I have traffic to protect?

Thanks

Regards

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

It should be on the sub interfaces because each sub interfaces belong to different subnet.

Hi Bro

From what I’ve understood from your question, you said that both the subinterfaces are catered for the inside users but I’m guessing they are assigned to different groups of users/vlans e.g. VLAN 10 for Users in Level 1, and VLAN 20 for User in Level 2 etc.

If that’s the case, then I would apply the “zone-member security XXX” command on each of the sub interfaces. A sample is shown below;

!

class-map type inspect match-any CM_TEST

match protocol tcp

match protocol udp

match protocol icmp

!

policy-map type inspect PM_TEST

class type inspect CM_TEST

inspect

!

zone security inside-vlan10

zone security inside-vlan20

zone-pair security ZP_TEST source inside-vlan10 destination inside-vlan20

service-policy type inspect PM_TEST

!

interface GigabitEthernet0/0.10

description – LAN Users in Level 1 --

zone security inside-vlan10

encapsulation dot1q 10

ip address 10.10.10.1 255.255.255.0

!

interface GigabitEthernet0/0.20

description – LAN Users in Level 2 --

zone security inside-vlan20

encapsulation dot1q 20

ip address 10.10.20.1 255.255.255.0

!

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: