Comments inline.
With regards Kings On Thu, Nov 4, 2010 at 8:26 PM, Rohyans, Aaron <[email protected]>wrote: > Hey all, > > > > Slowly but surely I’m managing to understand ZBF and its practicality in > the real world, but I had a few questions that maybe you guys can help me > with. Hopefully not too off-topic J. > > > > 1. How does ZBF handle services that are “terminated” on the router > but theoretically are more transit traffic? For instance – Static NAT, > Voice MTPs/Transcoders, H323/MGCP/SCCP signaling, Analog/TDM to IP > conversion, etc. Do we need to define a ‘self-zone’ policy if we wish to > protect who can/can’t access these resources of the router? I know Tyson > suggests using CoPP (or even an appropriately placed ACL) to protect the > router in lieu of a self-zone policy, but what about in the above scenario? > I’ve had mixed results in the labs I’ve tested this with, but was wondering > what the appropriate approach should be? Especially since some of these > services require inspection (such as with RTP) in order to work correctly > through a Firewall. I can’t find a clear-cut answer on Cisco’s website and > all Configuration Guides suggest building a self-zone policy. This seems to > come up a lot with a “branch” router scenario in which there are a lot of > integrated services in a single box. > To control coming to or initiating from router, you need to use self zones. For example, if the router terminates VPN connections then you need to use allow ESP, ISAKMP, AH and non-isakmp on the out to self zone. > 2. What is the general consensus on RFC1918/2824/etc. ingress > filtering using ZBF (from the perspective of securing both transit traffic, > and traffic destined to the router itself)? Should this now be handled > through ZBF and CoPP? ZBF and self-zone policy? An inbound ACL? I only > ask because it seems logical that ZBF and CoPP are how Cisco would like to > approach the solution… though an ACL would easily satisfy the criteria with > little to no effort. It seems overly complicated to use ZBF and CoPP, but > maybe I’m missing the bigger picture? > If the router is a perimeter router, then it should be implemented using ZFW. Generally, we would block RFC 1918, RFC 2827, RFC 3330. > > > Thanks for the help all! > > > > *Aaron T. Rohyans* > *Senior Network Engineer* > > *CCIE #21945*** > > *DPSciences Corporation > *7400 N. Shadeland Ave., Suite 245 > > Indianapolis, IN 46250 > Office: (317) 348-0099 > Fax: (317) 849-7134 > *[email protected] > *http://www.dpsciences.com/ > > *"I want an Anti-Virus system that sends Arnold back in time to kill the > hacker as a small child before he invents the virus..."* > > *"There are 10 kinds of people in this world... those who can read binary, > and those who can't"*** > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
