Security Zone
- is a group of interfaces to which a policy can be applied.
- by default traffic can flow freely within that zone but all traffic to and from that zone is dropped by default.
Note
To allow traffic to pass between zones, administrators must explicitly declare by creating a zone pair and a policy for that zone.
Another notice is that traffic originated from the router itself is allowed to pass freely.
Zone-pair
- Allows you to specify a uni-directional firewall policy between two zones.
- A zone-pair specifies the direction of the interesting traffic.
- defying by specifying a source and destination zone.
- we can't define a zone as both source and destination zone.
Zone Policy
defines what we want to allow or deny to go between zones e.g we just want to allow HTTP while droppping SMTP, ICMP we have 3 actions "pass" "drop" and "inspect".
the action "inspect" tell the router to use a predefined class-map to filter the traffic
No comments:
Post a Comment