When is “Deny all” policy an exception in Zone Based Fi…

When is “Deny all” policy an exception in Zone Based Firewall

When is “Deny all” policy an exception in Zone Based Firewall

A.
traffic traverses 2 interfaces in same zone

B.
traffic sources from router via self zone

C.
traffic terminates on router via self zone

D.
traffic traverses 2 interfaces in different zones

E.
traffic terminates on router via self zone

Explanation:
BD
+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router
directly (the destination IP represents the packet is for the router), the router automatically considers that traffic
to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.
By default, any traffic to or from the self zone is allowed, but you can change this policy.
+ For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.
Source: Cisco Official Certification Guide, Zones and Why We Need Pairs of Them, p.380



Leave a Reply 0

Your email address will not be published. Required fields are marked *