Zone-based Traffic Policing

The zone-based firewall uses security policy-maps to specify how the flows between zones should be handled based on their traffic classes. The obvious actions that you can use in the security policy are pass, drop and inspect, but there’s also the police action and one of the readers sent me an interesting question: “why would you need the police action in the security policy if you already have QoS policing”.

The difference between interface service policy and inter-zone security policy is in the traffic aggregation: the interface service policy works on traffic classes entering or leaving a single interface and the inter-zone policy works on aggregate traffic between zones, including the return traffic if you’ve used the inspect command to configure stateful inspection of the traffic class.

For example, you could limit the amount of HTTP traffic between your internal clients and your DMZ segment to prevent the internal users from overloading your public web servers.

The inter-zone policing algorithm is pretty aggressive. You have to specify high rates and burst sizes, otherwise you can kill all TCP traffic.


  1. Hi Ivan,

    Is there a way to setup IOS Zone base firewall same as Active/Active? I got a site with two wan router, each has separate MPLS Provider and its load balance. I have configurare the ZBF on the two router, but I encounter erratic issue, I know ZBF is causing this because when I remove the ZBF from the interface, issues is gone.

    Any tip how to best setup ZBF on site that has two active WAN router.

    Your help is greatly appreciated.


  2. It looks like failover is not yet supported with ZBF.
Add comment