With self zone most traffic needs to be passed. ZBF only supports ICMP/TCP/UDP inspection so routing protocols will always be passed.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: [email protected] [mailto:[email protected]] On Behalf Of Richard Chan Sent: Tuesday, March 01, 2011 12:12 AM To: [email protected] Subject: [OSL | CCIE_Security] ZBF with self-zones configured: IGPs - PASS or INSPECT? Hi, What is the best practice for allowing IGP traffic when self zones are configured in both directions? 1. Say you have self-Outside zone and Outside-self zone configured. 2. For IGPs like OSPF/RIP/EIGRP would you add a PASS action class to both zone-pairs? Or do you "inspect" one of them. I don't think of IGP peerings as "sessions" in the UDP/TCP sense. !--- policy-map type inspect XXX-out-self class IGP pass !--- apply to Outside-self zone-pair !--- policy-map type inspect XXX-self-out class IGP pass !--- apply to self-Outside zone-pair
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
