Dave,
I can certainly see your confusion. However, I think that if you just bind the zones to the interface it will still permit traffic as you indicated. I think you would have to create a zone-pair and quite possibly even add a service-policy before the default behavior changes to the implicit deny. Last night, I was working around with communications to the "self" zone and I found that to be the case. HTH, and anyone please correct my thinking if I am incorrect.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
