Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
0
Helpful
1
Replies

SD-WAN Security Self-Zone

nathy1984
Level 1
Level 1

‎04-29-2020 05:51 AM

Hi

 

Since version 16.12/19.2 the feature Self-Zone is supported.

Are there best practices for this configuration? Which source, protocol etc. 

Labels:
0 Helpful
1 Reply 1

ekhabaro
Cisco Employee
Cisco Employee

‎05-12-2020 05:20 AM - edited ‎05-12-2020 05:21 AM

As for my personal opinion, there is no "one size fit all" Self-Zone security recommendations because all deployments are different, except:

- Don't forget to allow your data plane traffic: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/cisco-sd-wan-overlay-network-bringup.html#c_Firewall_Ports_for_Viptela_Deployments_8690.xml

- Please don't block ICMP, especially Type 3 code 4 to avoid breaking PMTUD.

- If you defined self-to-zoneX, don't forget to define zoneX-to-self even if you won't allow anything.

- Don't forget about your routing protocols in transport VPN (VPN 0 aka GRT)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents