Which of the following traffic can be statefully inspected by Cisco IOS ZFW? (Select the best answer.)
A.
IPv6 unicast traffic
B.
IPv6 multicast traffic
C.
IPv4 unicast traffic
D.
IPv4 multicast traffic
Explanation:
In a Cisco IOS zonebased policy firewall (ZFW) configuration, IP version 4 (IPv4) unicast traffic can be
statefully inspected. As of IOS ZFW 12.4(15), ZFW is not capable of stateful inspection of any type of IPv6
traffic, nor is it capable of stateful inspection of IPv4 multicast traffic. ZFW is the latest iteration of Cisco’s
stateful firewall implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW,
virtual security zones are specified and then interfaces are assigned to the appropriate zone. By default, all
traffic is implicitly permitted to flow between interfaces that have been assigned to the same zone? however, all
traffic between zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default
when the interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in
the same zone is permitted as is traffic to or from the router itself.
In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly
permit traffic between zones. The basic process is as follows:
1. Define the required zones.
2. Create zonepairs for zones that will pass traffic between themselves.
3. Define class maps to match the appropriate traffic for each zonepair.
4. Define policy maps to specify the actions that should be performed on matching traffic.
5. Apply the policy maps to the zonepairs.
6. Assign interfaces to their appropriate zones.
Inspection rules can be created for a large number of traffic types, including the following:
– Domain Name System (DNS)
– Internet Control Message Protocol (ICMP)
– Network Basic Input/Output System (NetBIOS)
– Sun Remote Procedure Call (RPC)
However, stateful inspection of multicast traffic, such as Internet Group Management Protocol (IGMP), is not
supported by ZFW and must be handled by other security features, such as Control Plane Policing (CoPP).Reference:
Cisco: ZoneBased Policy Firewall Design and Application Guide: IntroductionCisco: ZoneBased Policy Firewall
Design and Application Guide: Rules For Applying ZoneBased Policy Firewall