06-28-2012 10:26 AM - edited 02-21-2020 04:40 AM
Hi guys, If I configure on my router some sub-interfaces (let's say G0/0.2, g0/0.3, etc) and they belong to my inside network where should I apply the zone-member secury inside command? On the G0/0 or on each sub-interface that I have traffic to protect?
Thanks
Regards
06-30-2012 09:16 PM
It should be on the sub interfaces because each sub interfaces belong to different subnet.
07-20-2012 11:22 AM
Hi Bro
From what I’ve understood from your question, you said that both the subinterfaces are catered for the inside users but I’m guessing they are assigned to different groups of users/vlans e.g. VLAN 10 for Users in Level 1, and VLAN 20 for User in Level 2 etc.
If that’s the case, then I would apply the “zone-member security XXX” command on each of the sub interfaces. A sample is shown below;
!
class-map type inspect match-any CM_TEST
match protocol tcp
match protocol udp
match protocol icmp
!
policy-map type inspect PM_TEST
class type inspect CM_TEST
inspect
!
zone security inside-vlan10
zone security inside-vlan20
zone-pair security ZP_TEST source inside-vlan10 destination inside-vlan20
service-policy type inspect PM_TEST
!
interface GigabitEthernet0/0.10
description – LAN Users in Level 1 --
zone security inside-vlan10
encapsulation dot1q 10
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
description – LAN Users in Level 2 --
zone security inside-vlan20
encapsulation dot1q 20
ip address 10.10.20.1 255.255.255.0
!
P/S: If you think this comment is useful, please do rate them nicely :-)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: