Difference between revisions of "Zone-based firewall Cisco IOS"
From Teknologisk videncenter
m (→links) |
m |
||
| (7 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Materialer= | =Materialer= | ||
*[http://mars.tekkom.dk/data/tdc/Zone-based%20firewall.ppsx Zone-based firewall] (Power point præsentation) | *[http://mars.tekkom.dk/data/tdc/Zone-based%20firewall.ppsx Zone-based firewall] (Power point præsentation) | ||
| + | =artikler= | ||
| + | *[[Netband Project - Zone based Firewall(ZFW)]] | ||
| + | =Transparant Zone-based firewall= | ||
| + | A transparent Zone-based firewall can be constructed using a [[Bridge-group cisco IOS|bridge-group]] between two interfaces. The following example allows full IP layer 2 transparant connectivity from zone SEC to zone PUB. | ||
| + | <source lang=cli> | ||
| + | vlan 10 | ||
| + | name Public | ||
| + | vlan 20 | ||
| + | name Secure | ||
| + | ! | ||
| + | bridge irb | ||
| + | ! | ||
| + | zone security SEC | ||
| + | zone security PUB | ||
| + | ! | ||
| + | zone-pair security ALL source SEC destination PUB | ||
| + | service-policy type inspect ALL-PMI | ||
| + | ! | ||
| + | int vlan 10 | ||
| + | description Connected to public network | ||
| + | brigde-group 10 | ||
| + | zone-member security PUB | ||
| + | ! | ||
| + | int vlan 20 | ||
| + | description Connected to secure network | ||
| + | brigde-group 10 | ||
| + | zone-member security SEC | ||
| + | ! | ||
| + | bridge 10 protocol ieee | ||
| + | ! | ||
| + | class-map type inspect match-any ALL-CMI | ||
| + | match access-group 10 | ||
| + | ! | ||
| + | policy-map type inspect ALL-PMI | ||
| + | class type inspect ALL-CMI | ||
| + | inspect | ||
| + | class class-default | ||
| + | drop | ||
| + | ! | ||
| + | access-list 10 permit any | ||
| + | </source> | ||
| + | <!--{{Source cli}}--> | ||
=links= | =links= | ||
Latest revision as of 07:49, 26 June 2014
Materialer
- Zone-based firewall (Power point præsentation)
artikler
Transparant Zone-based firewall
A transparent Zone-based firewall can be constructed using a bridge-group between two interfaces. The following example allows full IP layer 2 transparant connectivity from zone SEC to zone PUB.
vlan 10
name Public
vlan 20
name Secure
!
bridge irb
!
zone security SEC
zone security PUB
!
zone-pair security ALL source SEC destination PUB
service-policy type inspect ALL-PMI
!
int vlan 10
description Connected to public network
brigde-group 10
zone-member security PUB
!
int vlan 20
description Connected to secure network
brigde-group 10
zone-member security SEC
!
bridge 10 protocol ieee
!
class-map type inspect match-any ALL-CMI
match access-group 10
!
policy-map type inspect ALL-PMI
class type inspect ALL-CMI
inspect
class class-default
drop
!
access-list 10 permit any