Zone-Based Policy Overview
Before the ZFW was introduced, the Cisco IOS Firewall offered stateful inspection using the CBAC feature. CBAC
was covered in detail in the previous sections of this chapter.
In the recent releases of Cisco IOS Software from Version 12.4(6)T and later, the CBAC model is being replaced
with the new configuration model that uses ZFW.
This new feature was added mainly to overcome the limitations of the CBAC that was employing stateful
inspection policy on an interface-based model. To be specific, the limitation was that all traffic passing through
the interface was subject to the same inspection policy, thereby limiting the granularity and policy enforcement,
particularly in scenarios where multiple interfaces existed.
With ZFW, stateful inspection can now be applied on a zone-based model. Interfaces are assigned to zones, and
policy inspection is applied to traffic moving between zones. This enhancement provides more granularity,
flexibility, scalability, and an easy-to-use zone-based security approach. With a zone-based inspection model,
varying interzone policies can be applied to multiple hosts or groups of hosts connected to the same interface.
Tip
The following Cisco whitepaper URL provides more details on the conceptual difference between Cisco
IOS Classic and ZFW features:
www.
Pages:
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238