which zones can the S0/1/0 interface send traffic?

You issue the show zone security command on a Cisco router and receive the following command output:
RouterA#show zone security
zone self
Description: System defined zone
zone inside
Member Interfaces:
FastEthernet0/0
FastEthernet0/1
zone outside
Member Interfaces:
Serial0/0/0zone dmz
Member Interfaces:
Serial0/0/1
Based on the command output, to which zones can the S0/1/0 interface send traffic? (Select the best answer.)

You issue the show zone security command on a Cisco router and receive the following command output:
RouterA#show zone security
zone self
Description: System defined zone
zone inside
Member Interfaces:
FastEthernet0/0
FastEthernet0/1
zone outside
Member Interfaces:
Serial0/0/0zone dmz
Member Interfaces:
Serial0/0/1
Based on the command output, to which zones can the S0/1/0 interface send traffic? (Select the best answer.)

A.
S0/1/0 can send traffic to the dmz zone.

B.
S0/1/0 can send traffic to the outside zone.

C.
S0/1/0 can send traffic to the inside zone, but only in response to traffic initiated from the inside zone.

D.
S0/1/0 can send traffic to any zone.

E.
S0/1/0 cannot send traffic to any configured zones.

Explanation:
In this scenario, the S0/1/0 interface cannot send traffic to any configured zones. S0/1/0 is not a member of any
zones, as shown by the following output from the show zone security command:
RouterA#show zone security
zone self
Description: System defined zone
zone inside
Member Interfaces:
FastEthernet0/0
FastEthernet0/1
zone outside
Member Interfaces:
Serial0/0/0
zone dmz
Member Interfaces:
Serial0/0/1
Traffic cannot flow between an interface that does not belong to a security zone and an interface that does
belong to a security zone. Therefore, S0/1/0 cannot send traffic to Fa0/0, Fa0/1, S0/0/0, or S0/0/1. However,
S0/1/0 can send traffic to S0/1/1 because S0/1/1 is not a member of any security zone.
Even if S0/1/0 were a member of the outside zone, S0/1/0 would not be able to send traffic to the inside zone or
dmz zone. When no zone pair exists for a pair of zones, traffic is blocked by default. Traffic is allowed to pass
freely between interfaces within the same zone.
If S0/1/0 were a member of the dmz zone, S0/1/0 would be able to send traffic to the inside zone only in
response to traffic initiated from the inside zone. RouterA is configured to allow Telnet traffic and traffic sent to
10.2.2.3 from the inside zone to the dmz zone and to allow return traffic from the dmz zone to the inside zone
for these sessions.

Cisco: Cisco IOS Security Command Reference: show zone security
Cisco: Configuring Zone Policy Firewalls: ZoneBased Policy General Rules



Leave a Reply 0

Your email address will not be published. Required fields are marked *