Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
809
Views
5
Helpful
4
Replies

SDWAN cEdge ZBFW Policies

Go to solution
configt
Level 1
Level 1

‎08-25-2020 06:51 PM

In the process of deploying cEdge to all our branches and working through our templates in test first.

 

We want to introduce segmentation at the branch leveraging the ZBFW.  Trying to determine if we place all our SVI into same VPN and leverage FW rules or each SVI in separate VPN and leverage FW.  Will the FW connect separate VPN locally that way?

 

lastly when testing FW rules between L3 VLANs in same VPN the FW rules do not seem to work.  Or even FW rules from VPN1 to VPN0.  Feel I’m missing something obvious here.

 

thank you

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gilbert.aispuro1
Level 1
Level 1

‎09-09-2020 11:28 AM

You can assign any SVI/Sub-Interface to any VPN/VRF you want. They won't be able to talk to one another obviously but that's when you need to then leverage the ZBFW aspect and then allow each Zone/VPN to talk to another if needed. 

For example, one of my segmented VPNs is allocated for Guest. I have 2 Zone Pairs for its connection. ZPair1- I "Inspect" Guest access to the Internet Zone "VPN0",  but only allowing traffic sourcing from my Guest subnets and also matching protocols, "1","6","17".  ZPair2 - I then Drop all traffic Sourcing from Internet Zone to Guest Zone. 

If you want to allow some IPs to reach another IP in another zone, then you'll need to Route Leak via Centralized Policy/Topology Sequence type Route. 

I hope I answered your question. Let me know if anything I said was unclear. 

***Please remember to "Accept as Solution" if I answered correctly***

View solution in original post

4 Replies 4

Go to solution
gilbert.aispuro1
Level 1
Level 1

‎09-09-2020 11:28 AM

You can assign any SVI/Sub-Interface to any VPN/VRF you want. They won't be able to talk to one another obviously but that's when you need to then leverage the ZBFW aspect and then allow each Zone/VPN to talk to another if needed. 

For example, one of my segmented VPNs is allocated for Guest. I have 2 Zone Pairs for its connection. ZPair1- I "Inspect" Guest access to the Internet Zone "VPN0",  but only allowing traffic sourcing from my Guest subnets and also matching protocols, "1","6","17".  ZPair2 - I then Drop all traffic Sourcing from Internet Zone to Guest Zone. 

If you want to allow some IPs to reach another IP in another zone, then you'll need to Route Leak via Centralized Policy/Topology Sequence type Route. 

I hope I answered your question. Let me know if anything I said was unclear. 

***Please remember to "Accept as Solution" if I answered correctly***

Go to solution
configt
Level 1
Level 1
In response to gilbert.aispuro1

‎09-09-2020 12:11 PM

Appreciate the response and information.  Was able to test it all out some more and come up with an acceptable solution with SVI in same service VPN.  We have Guest services as well but have not had an opportunity to test that configuration out.  You mentioned having to put a rule from internet zone back into guest zone to drop, is that necessary to explicitly define that if default action for ruleset is drop?

0 Helpful

Go to solution
gilbert.aispuro1
Level 1
Level 1
In response to configt

‎09-09-2020 12:39 PM

I forgot what the document states but I added the Zone Pair to address the Zone communication and if anything tries to communicate inwards to my VPNs, it will drop. 

Is it necessary, no, is it best practice, yes. You can never be too sure. BTW, I have this same "Drop" rule for all my VPNs coming inbound from VPN0 aka Internet Zone. 

0 Helpful

Go to solution
configt
Level 1
Level 1
In response to gilbert.aispuro1

‎09-10-2020 06:40 AM - edited ‎09-10-2020 06:40 AM

Much appreciated

0 Helpful
Customers Also Viewed These Support Documents