SDN/SDDC Retreat in Miami, Florida (November 4th-6th)
Separate SDN hype from real life!

Small enhancement in zone-based firewalls

In the Deploying Zone-Based Firewalls book I wrote:

In early releases supporting zone-based policy firewall configuration (IOS 12.4(6)T), match protocol command cannot be used to classify traffic to or from the self zone. Only IP access lists can be used for traffic classification purposes.
Misha Volodko reported that the match protocol icmp command works for him when used with the self zone. Another small step toward perfect implementation :) ... and don't forget that you can always use class class-default to catch all the unclassified traffic (and log it before it's dropped, for example).


  1. Hi Ivan,

    I'm facing a very weird issue about Zone base Firewall, not sure if its IOS related, underneath are the details

    policy-map type inspect PM.Traffic
    class type inspect CM.Routing
    pass log
    class type inspect CM_Voice.Protocol
    pass log
    class type inspect CM_Application.Traffic
    class class-default
    drop log
    zone security ZS_Trusted.Zone
    description Trusted-Inside Network
    zone security ZS_Untrusted.Zone
    description Untrusted-Outside Network
    zone-pair security ZPS_Trusted.2.Untrusted source ZS_Trusted.Zone destination ZS_Untrusted.Zone
    service-policy type inspect PM.Trusted.2.Untrusted.Traffic - below error message upon applying this

    "Firewall service-policy attachment failed" this is the 1st time I encounter this issue

    2nd Issue:
    When I tried to remove the policy-map, by applying
    # no policy-map type inspect PM.Traffic
    Command successfully executed, no error, but when you check the running config, the policy-map
    still there
    I've tried it to other Router with the same Model & IOS version, same issue arrise.

    1. Was able to configure ZBF on those two router, no issue encounter, I just temporarily removed it from the interface because there's some connectivity issue, but when I attempt to activate it again and add some policy-map, I got those issue.

    2. Router Info
    Cisco 3845 (revision 1.0) with 483327K/40960K bytes of memory.
    System image file is "flash:c3845-advipservicesk9-mz.124-24.T3.bin"

  2. Ivan Pepelnjak27 May, 2010 18:31

    Looks like a bug to me. You should open a case with Cisco TAC.

  3. This shortcoming appears to be fixed in many IOS trains: CSCsy29940 - Unable to inspect any protocol in self zone


You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.