Paul, Dave
I saw this same behavior when I did lab 2a. Without the zone pair or the service policy the router was still passing traffic between interfaces. I was puzzled when I saw this, but wrote it off an moved on. I did have the ip inspect log drop-pkt turned on and it showed no traffic being dropped . Is this because it's a bridge interface in zone self and able to pass traffic between what it considers anything else in zone self? I didn't make note of the software version and I haven't found any documentation that mentions that it shouldn't have the zone-pair or service policy. Any insight on this would be appreciated. Thanks Brian Almond From: [email protected] [mailto:[email protected]] On Behalf Of Paul Stewart Sent: Saturday, October 24, 2009 11:37 AM To: [email protected] Cc: [email protected] Subject: Re: [OSL | CCIE_Security] LAb2A Zone Based Firewall Dave, I can certainly see your confusion. However, I think that if you just bind the zones to the interface it will still permit traffic as you indicated. I think you would have to create a zone-pair and quite possibly even add a service-policy before the default behavior changes to the implicit deny. Last night, I was working around with communications to the "self" zone and I found that to be the case. HTH, and anyone please correct my thinking if I am incorrect.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
