04-29-2020 05:51 AM
Hi
Since version 16.12/19.2 the feature Self-Zone is supported.
Are there best practices for this configuration? Which source, protocol etc.
05-12-2020 05:20 AM - edited 05-12-2020 05:21 AM
As for my personal opinion, there is no "one size fit all" Self-Zone security recommendations because all deployments are different, except:- Don't forget to allow your data plane traffic: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml- Please don't block ICMP, especially Type 3 code 4 to avoid breaking PMTUD.- If you defined self-to-zoneX, don't forget to define zoneX-to-self even if you won't allow anything.- Don't forget about your routing protocols in transport VPN (VPN 0 aka GRT)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community