Zone-based traffic policing

The zone-based firewall uses security policy-maps to specify how the flows between zones should be handled based on their traffic classes. The obvious actions that you can use in the security policy are pass, drop and inspect, but there’s also the police action and one of the readers sent me an interesting question: “why would you need the police action in the security policy if you already have QoS policing”.

The difference between interface service policy and inter-zone security policy is in the traffic aggregation: the interface service policy works on traffic classes entering or leaving a single interface and the inter-zone policy works on aggregate traffic between zones, including the return traffic if you’ve used the inspect command to configure stateful inspection of the traffic class.

For example, you could limit the amount of HTTP traffic between your internal clients and your DMZ segment to prevent the internal users from overloading your public web servers.

The inter-zone policing algorithm is pretty aggressive. You have to specify high rates and burst sizes, otherwise you can kill all TCP traffic.

This article is part of You've asked for it series.

2 comments:

  1. Hi Ivan,

    Is there a way to setup IOS Zone base firewall same as Active/Active? I got a site with two wan router, each has separate MPLS Provider and its load balance. I have configurare the ZBF on the two router, but I encounter erratic issue, I know ZBF is causing this because when I remove the ZBF from the interface, issues is gone.

    Any tip how to best setup ZBF on site that has two active WAN router.

    Your help is greatly appreciated.

    Regards,

    Arnold

    ReplyDelete
  2. Ivan Pepelnjak08 June, 2010 19:29

    It looks like failover is not yet supported with ZBF.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.