Given the configuration example shown, what can be determined.

Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined.

Refer to the exhibit. The INSIDE zone has been configured and assigned to two separate router interfaces. All other zones and interfaces have been properly configured. Given the configuration example shown, what can be determined.

A.
Hosts in the INSIDE zone, with addresses in the 10.10.10.0/24 network, can access any host in the 10.10.10.0/24 network using the SSH protocol.

B.
If a host in the INSIDE zone attempts to communicate via SSH with another host on a different interface within the INSIDE zone, communications must pass through the router self zone using the INTRAZONE policy.

C.
This is an illegal configuration. You cannot have the same source and destination zones.

D.
This policy configuration is notneeded, traffic within the same zone is allowed to pass by default.



Leave a Reply 5

Your email address will not be published. Required fields are marked *


Ken

Ken

Seems like A may be correct for IOS that supports Intrazone policies (15.0.1M and higher) and D is correct for older IOS. Hmmm…..

Ahmad

Ahmad

B looks fine for me

Luis Cifer

Luis Cifer

class class-default = 15.0.1M

The real issue is that the subnet is the same 10.10.10.0/24
Router(config-if)#ip address 10.10.10.1 255.255.255.0
Router(config-if)#int fast 0/1
Router(config-if)#ip address 10.10.10.2 255.255.255.0
% 10.10.10.0 overlaps with FastEthernet0/0

So assuming both hosts are off the same interface, they would not need to go through the router to contact each other.

So A is a true statement
B is wrong because self zone does not apply to through traffic
C is wrong because you can
D would be false because the code is 15

If D said the policy configuration is not need.[full stop] Then it would be true.

The self zone is a system-defined zone. It does not have any interfaces as members. A zone pair that includes the self zone, along with the associated policy, applies to traffic directed to the router or traffic generated by the router. It does not apply to traffic through the router.

Intrazone Support in the Zone-Based Firewall Application

Intrazone support allows for zone configuration to include users both inside and outside a network. This allows for traffic inspection between users belonging to the same zone but different networks. Before Cisco IOS Release 15.0(1)M, traffic within a zone was allowed to pass uninspected by default. To configure a zone pair definition with the same zone for source and destination, use the zone-pair security command. This allows the functionality of attaching a policy map and inspecting the traffic within the same zone.

Intrazone Firewall Policies in IOS 15.X

All the scenarios studied so far considered the use of Cisco IOS releases belonging to the 12.4T train, which are characterized by an implicit permit for traffic flowing between two interfaces part of the same security zone.

Starting on release 15.0(1)M, IOS behaves in a way diametrically opposite to its predecessors: Any traffic between interfaces in the same zone is blocked by default. And if there is any interest in modifying this operation, you need to define an intrazone ZFW policy.

12.4T
When an interface is assigned to a security zone, immediately the only traffic allowed on the interface is router traffic (traffic to the router or initiated by the router) and intra-zone traffic (traffic between interfaces that are members of the same zone). To permit traffic to or from an interface that is a member of another zone, you must apply one or more zone-based firewall rules that include that zone. If the rule permits traffic (via the Pass, Inspect, or Filtering actions), traffic can flow through the interface to the other zone.

m

m

The question never states what interface addresses and masks are. So it is wrong to assume they are /24. You could easily have 2 interfaces with /25 masks.
Also it is possible, that firewall is in transparent more.
So B is more likely to be correct answer.

kiyam kadir

kiyam kadir

great explanation by luis cifer.

hosts do not need to consult the router if they can see each other on the same layer 2 segment and can communicate with eachother, however he is totall right in his comments that D is wrong because INTRAZONE IS NOT ALLOWED BY DEFAULT otherwise
where would be the security feature?

do not trust anything unless told so.