cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

168
Views
0
Helpful
1
Replies
Highlighted
Beginner

SD-WAN Security Self-Zone

Hi

 

Since version 16.12/19.2 the feature Self-Zone is supported.

Are there best practices for this configuration? Which source, protocol etc. 

Everyone's tags (3)
1 REPLY 1
Highlighted
Cisco Employee

Re: SD-WAN Security Self-Zone

As for my personal opinion, there is no "one size fit all" Self-Zone security recommendations because all deployments are different, except:

- Don't forget to allow your data plane traffic: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml

- Please don't block ICMP, especially Type 3 code 4 to avoid breaking PMTUD.

- If you defined self-to-zoneX, don't forget to define zoneX-to-self even if you won't allow anything.

- Don't forget about your routing protocols in transport VPN (VPN 0 aka GRT)