blackninja wrote: » You don't have dedicated firewall in your poll. Nearly every production network would use ACLs, but just not as a firewall.
notgoing2fail wrote: » Just wondering who here just uses regular ACL's in their production networks or do you actually use Zone-based Firewall as intended by Cisco...
cjthedj45 wrote: » If there was the option to use a ZBF or just straight access lists then surely the ZBF would be a better option as it has more features than just permit or deny. The ZBF will also inspect traffic and block any traffic with malicous code for example. I'm no expert but given the choice I think I would go with the ZBF. However I have never used a ZBF in a production environment so I'm not sure how good they are "real world" My knowledge is just from what I have studied in the CCNA Security. I would be interested to hear if people do prefer access lists over a ZBF and why?
ilcram19-2 wrote: » you dont really want to use the SDM for this since it required to keep track of class maps and policy maps and with the naming that is use by SDM it gets confusing. here is another example config allowing from one vlan to a DMZ zone class-map type inspect match-all vlan2-DMZ-http-class match access-group name DMZ-vlan2-http-ACL class-map type inspect match-any vlan2-to-DMZ-class match protocol kerberos match protocol msrpc match protocol ntp match protocol ldap match access-group name vlan2-DMZ-ACL match protocol dns match protocol icmp policy-map type inspect vlan2-to-DMZ-policy class type inspect vlan2-DMZ-http-class pass log < no inspecting just passing traffic class type inspect vlan2-to-DMZ-class inspect ZFW class class-default drop log zone-pair security vlan2-to-DMZ source VLAN2 destination DMZ service-policy type inspect vlan2-to-DMZ-policy IP access list vlan2-DMZ-http-ACL 10 permit tcp 10.200.34.128 0.0.0.127 host 10.33.45.2 eq www (43709224 matches) Extended IP access list vlan2-DMZ-ACL 10 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.5 (116893 matches) 20 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.23 30 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.80 40 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.81 50 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.126 (24429 matches) 60 permit ip 10.200.34.128 0.0.0.127 host 10.33.45.119 (5315 matches) 70 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 445 (65586 matches) 80 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 135 90 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 389 (30785 matches) 100 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 389 110 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 3268 120 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq ntp 130 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq domain (577528 matches) 140 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq domain (28 matches) 150 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 53211 160 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 53212 170 permit tcp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 88 180 permit udp 10.200.34.128 0.0.0.127 10.33.45.0 0.0.0.127 eq 88 (25465 matches)
