For which of the following traffic types is stateful inspection not supported in a ZFW configuration? (Select the
best answer.)
A.
DNS
B.
ICMP
C.
IGMP
D.
NetBIOS
E.
Sun RPC
Explanation:
Stateful inspection of Internet Group Management Protocol (IGMP) is not supported in a zonebased policy
firewall (ZFW) configuration. ZFW is the latest iteration of Cisco’s stateful firewall implementation, which was
formerly called ContextBased Access Control (CBAC). With ZFW, virtual security zones are specified and then
interfaces are assigned to the appropriate zone. By default, all traffic is implicitly permitted to flow betweeninterfaces that have been assigned to the same zone? however, all traffic between zones is blocked. In
addition, all traffic to and from an interface is implicitly blocked by default when the interface is assigned to a
zone, but there are a few exceptions. Traffic to or from other interfaces in the same zone is permitted as is
traffic to or from the router itself.
In order for traffic to flow between zones, stateful packet inspection policies must be configured to explicitly
permit traffic between zones. The basic process is as follows:
1. Define the required zones.
2. Create zonepairs for zones that will pass traffic between themselves.
3. Define class maps to match the appropriate traffic for each zonepair.
4. Define policy maps to specify the actions that should be performed on matching traffic.
5. Apply the policy maps to the zonepairs.
6. Assign interfaces to their appropriate zones.
Inspection rules can be created for a large number of traffic types, including the following:
– Domain Name System (DNS)
– Internet Control Message Protocol (ICMP)
– Network Basic Input/Output System (NetBIOS)
– Sun Remote Procedure Call (RPC)
However, stateful inspection of multicast traffic, such as IGMP, is not supported by ZFW and must be handled
by other security features, such as Control Plane Policing (CoPP).Cisco: ZoneBased Policy Firewall Design and Application Guide: Rules For Applying ZoneBased Policy
FirewallCategory:
Cisco Firewall Technologies