Which of the following traffic types are blocked by default in a zone-based policy firewall configuration? (Select
2 choices.)
A.
traffic to or from the self zone
B.
traffic between interfaces in the same zone
C.
traffic between interfaces in a zone and interfaces not assigned to any zone
D.
traffic between interfaces in different zones
E.
traffic directly to or received from the router
Explanation:
In a zonebased policy firewall (ZFW) configuration, all traffic between interfaces in different zones is blocked by
default. In addition, all traffic between interfaces that have been assigned to a zone and interfaces that are not
assigned to any zone is blocked by default. ZFW is the latest iteration of Cisco’s stateful firewall
implementation, which was formerly called ContextBased Access Control (CBAC). With ZFW, virtual security
zones are specified and then interfaces are assigned to the appropriate zone. By default, all traffic is implicitly
permitted to flow between interfaces that have been assigned to the same zone? however, all traffic between
zones is blocked. In addition, all traffic to and from an interface is implicitly blocked by default when the
interface is assigned to a zone, but there are a few exceptions. Traffic to or from other interfaces in the same
zone is permitted, as is traffic to or from the router itself. When ZFW is configured, a special zone called the
self zone is automatically created and contains the IP addresses of all the router interfaces. By default, all traffic
to or from the self zone is implicitly permitted? this implicit permission ensures that management access to the
router is not lost when ZFW is configured.
In order for traffic to flow between userconfigured zones, stateful packet inspection policies must be configured
to explicitly permit traffic between the zones. The basic process is as follows:
1. Define the required zones.
2. Create zonepairs for zones that will pass traffic between themselves.
3. Define class maps to match the appropriate traffic for each zonepair.
4. Define policy maps to specify the actions that should be performed on matching traffic.
5. Apply the policy maps to the zonepairs.
6. Assign interfaces to their appropriate zones.
Although inspection rules can be created for a large number of traffic types, stateful inspection of multicast
traffic is not supported by ZFW and must be handled by other security features, such as Control Plane Policing
(CoPP).Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy
FirewallCategory:
Cisco Firewall Technologies