Hey all, Slowly but surely I'm managing to understand ZBF and its practicality in the real world, but I had a few questions that maybe you guys can help me with. Hopefully not too off-topic :).
1. How does ZBF handle services that are "terminated" on the router but theoretically are more transit traffic? For instance - Static NAT, Voice MTPs/Transcoders, H323/MGCP/SCCP signaling, Analog/TDM to IP conversion, etc. Do we need to define a 'self-zone' policy if we wish to protect who can/can't access these resources of the router? I know Tyson suggests using CoPP (or even an appropriately placed ACL) to protect the router in lieu of a self-zone policy, but what about in the above scenario? I've had mixed results in the labs I've tested this with, but was wondering what the appropriate approach should be? Especially since some of these services require inspection (such as with RTP) in order to work correctly through a Firewall. I can't find a clear-cut answer on Cisco's website and all Configuration Guides suggest building a self-zone policy. This seems to come up a lot with a "branch" router scenario in which there are a lot of integrated services in a single box. 2. What is the general consensus on RFC1918/2824/etc. ingress filtering using ZBF (from the perspective of securing both transit traffic, and traffic destined to the router itself)? Should this now be handled through ZBF and CoPP? ZBF and self-zone policy? An inbound ACL? I only ask because it seems logical that ZBF and CoPP are how Cisco would like to approach the solution... though an ACL would easily satisfy the criteria with little to no effort. It seems overly complicated to use ZBF and CoPP, but maybe I'm missing the bigger picture? Thanks for the help all! Aaron T. Rohyans Senior Network Engineer CCIE #21945 DPSciences Corporation 7400 N. Shadeland Ave., Suite 245 Indianapolis, IN 46250 Office: (317) 348-0099 Fax: (317) 849-7134 [email protected]<mailto:[email protected]> http://www.dpsciences.com/ "I want an Anti-Virus system that sends Arnold back in time to kill the hacker as a small child before he invents the virus..." "There are 10 kinds of people in this world... those who can read binary, and those who can't"
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
