Zone based FW and VRF/MPLS

Hi!

Doing a lab with Zone based FW.

It's from INE Vol2 lab4.

BB1 is connected to R6 in a VRF (VPN_A)

R6 is a PE and is doing MPLS over a tunnel interface to R4 wich is a PE to
and is connected to BB3.

R6 is configured as a zone based FW and serial0/0/0 is ine zone OUTESIDE and
this interface connects to BB1.

I tried to put the MPLS tunnel interface in zone INSIDE.. and tried ping and
telnet from BB3 to BB1.. and it works. why?

I tried with match protocol and match access-list to match the traffic that
ZBF should inspect.. both works..

Is ZBF actually looking into the MPLS tagged packets ?

Here is my config on R6

class-map type inspect match-all ICMP

match access-group name ICMP

class-map type inspect match-any UDP-TCP

match access-group name UDP-TCP

class-map type inspect match-any HTTPS

match access-group name HTTP

class-map type inspect match-any DNS

match access-group name DNS

class-map type inspect match-any HTTPS-SERVER

match access-group name HTTPS-SERVER

class-map type inspect match-any DNS-ICMP

match class-map DNS

match class-map ICMP

class-map type inspect match-all HTTP-HTTPS

match class-map HTTPS-SERVER

match class-map HTTPS

!

policy-map type inspect OUTSIDE-IN

class type inspect HTTP-HTTPS

  inspect

class type inspect DNS-ICMP

  inspect

  police rate 128000 burst 1000

class class-default

  drop log

policy-map type inspect INSIDE-OUT

class type inspect UDP-TCP

  inspect

class type inspect ICMP

  inspect

class class-default

  drop log

!

zone security INSIDE

zone security OUTSIDE

zone-pair security INSIDE-OUT source INSIDE destination OUTSIDE

service-policy type inspect INSIDE-OUT

zone-pair security OUTSIDE-IN source OUTSIDE destination INSIDE

service-policy type inspect OUTSIDE-IN

!

!

interface Tunnel46

ip address 141.1.46.6 255.255.255.0

zone-member security INSIDE

!

interface Serial0/0/0:0

ip vrf forwarding VPN_A

ip address 54.1.1.6 255.255.255.0

zone-member security OUTSIDE

verification:

doing a telnet from BB3 to BB1 (inside to outside)

Rack1R6#show policy-map type inspect zone-pair sessions

policy exists on zp INSIDE-OUT

Zone-pair: INSIDE-OUT

  Service-policy inspect : INSIDE-OUT

    Class-map: UDP-TCP (match-any)

      Match: access-group name UDP-TCP

       2 packets, 48 bytes

        30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1

      Established Sessions

        Session 66CBE0A0 (204.12.1.254:36384)=>(54.1.1.254:23) telnet:tcp
SIS_OPEN

          Created 00:00:06, Last heard 00:00:06

          Bytes sent (initiator:responder) [30:1206]

And http from BB1 to HTTP server 204.12.1.100 port 80

policy exists on zp OUTSIDE-IN

Zone-pair: OUTSIDE-IN

  Service-policy inspect : OUTSIDE-IN

    Class-map: HTTP-HTTPS (match-all)

      Match: class-map match-any HTTPS-SERVER

        Match: access-group name HTTPS-SERVER

          0 packets, 0 bytes

          30 second rate 0 bps

      Match: class-map match-any HTTPS

        Match: access-group name HTTP

          0 packets, 0 bytes

          30 second rate 0 bps

   Inspect

      Number of Established Sessions = 1

      Established Sessions

        Session 66CBE2A0 (54.1.1.254:25090)=>(204.12.1.100:80) http:tcp
SIS_OPEN

          Created 00:00:06, Last heard 00:00:06

          Bytes sent (initiator:responder) [0:0]

-Torleif

Blogs and organic groups at http://www.ccie.net
Received on Tue Oct 16 2012 - 12:00:06 ART