ZBFW and subinterfaces

millworx · May 2011

So I am playing with ZBFW and I had a quick question.

I have router on a stick configured. Each subinterface I have assigned to a zone. And one link going out of the router for WAN access in its own zone.

Now I cannot talk outside at all. I am wondering, does the primary interface that the subints are on need to be in a zone as well?

Also too, in my class map, if I don't specify any match protocol statements, this should match ALL protocols should it not?

millworx · May 2011

interface GigabitEthernet0/0/0
description TO WAN
ip address 10.10.10.1 255.255.255.252
zone-member security WAN

interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3.300
encapsulation dot1Q 300
ip address 10.33.85.81 255.255.255.240
zone-member security PARTNER

millworx · May 2011

millworx wrote: »

interface GigabitEthernet0/0/0
description TO WAN
ip address 10.10.10.1 255.255.255.252
zone-member security WAN

interface GigabitEthernet0/0/3
no ip address
negotiation auto
!
interface GigabitEthernet0/0/3.300
encapsulation dot1Q 300
ip address 10.33.85.81 255.255.255.240
zone-member security PARTNER

Okay so it appears that the physical interface has to be a part of the same zone as my WAN interface. I can now ping the wan interface.

Now the issue is, I have a machine connected to my wan interface running wireshark. If I ping from the partner zone to the PC in the wan zone, wireshark shows the ping, and shows the reply packet. But the machine in partner zone does not get the reply.... hmmm

ZBFW and subinterfaces

Comments