If an additional new interface is added to the Private zone,
inter-interface and intra-interface traffic is allowed within the same zone. Additionally, the hosts' traffic to hosts
in other zones would be similarly affected by existing policies.
Configuring Zone-Based Policy Firewall
ZFW does not use the classical CBAC ip inspect command set. ZFW policies are configured with the new Cisco
Policy Language (CPL), which employs a hierarchical structure to define inspection for network protocols and the
groups of hosts to which the inspection will be applied. Note that the two configuration models (Classical CBAC
and new ZFW) can be used concurrently on the same router; however, they cannot be combined on the same
interface overlapping each other. An interface cannot be configured as a zone member and be configured for ip
inspect simultaneously.
Note
It is important to understand that ZFW completely changes the configuration syntax for Cisco IOS
Firewall stateful inspection, as compared to Classical CBAC.
Configuring ZFW Using Cisco Policy Language (CPL)
ZFW is configured using the new command set of Cisco Policy Language (CPL). CPL is the new format to enable
ZFW. The format is similar to the Modular QoS CLI (MQC) in using class-map to identify the traffic and the
action applied in a policy map.
Pages:
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240