Zone Based Firewall Configuration Example

Hello Andrew

Hmm, that’s interesting. I chatted with @ReneMolenaar about this one. He labbed it up with the configs you have in your post and it seems to be working correctly. You can even see the ISAKMP and ESP counters go up on the access list:

R2#show access-lists 
Extended IP access list ISAKMP_IPSEC
    10 permit udp any any eq isakmp (16 matches)
    20 permit ahp any any
    30 permit esp any any (38 matches)
    40 permit udp any any eq non500-isakmp

Do you want to recheck the status of your setup and do a couple of more tests to verify the behaviour of your topology? Let us know how you get along and we’ll be here if you need any additional help…

I hope this has been helpful!


Hi Laz,

Thanks for the assistance. Now taken this to Cisco Tac, as i am still fighting with this one.

How did you get the matches on the ACL? As this does not happen by default.

Hello Andrew

OK, let us know how you get along with TAC. Now in order to get the matches on the ACLs, simply add the log keyword at the end of each line of the ACL that you want to log matches to. So for your ACLs, you would do this:

ip access-list extended Bespoke_VPN
10 permit udp any any eq isakmp log
20 permit ahp any any log
30 permit esp any any log
40 permit udp any any eq non500-isakmp log

I hope this has been helpful!


Sorry Laz, something is not right here with the log command

For Normal ACL’s, the ‘log’ keyword will write the match to the syslogs, matches will be shown by default on a normal ACL.

However, If i try and match an ACL from within the Class-Map, i get the following message, if the keywork ‘log’ is attached to the ACL

% access-lists with 'log' keyword are not supported

Matches are not shown on ZBFW, instead i can see matches when issues show commands such as

show policy-map type inspect zone-pair x

Hello Andrew

Yes, you are correct, the log option is not supported for use with class-maps. By default, the ACL should display how many matches it has encountered. It also depends upon the platform and IOS version that you are using. Specifically, in the lab implementation, IOS version 15.9(3)M2 is being used on an IOSv device using CML. According to this Cisco Documentation:

Access control lists (ACLs) in a class map are used only for classification; the firewall does not display the packet count that matches the configured ACLs. Perfilter statistics is available in zone-based firewalls from Cisco IOS XE Release 3.13S and later releases.

So it looks like it ultimately boils down to the IOS version you are using. Depending on the version, it may or may not show matches. For more info on how IOS and IOS XE versions are related, take a look at this lesson:

I hope this has been helpful!


1 Like

Nice Lesson! Which are the Routers/IOS that support ZBF? I don’t find the zone command in the routers I use in GNS3.

Hello Giacomo

According to Cisco, the ZBF feature was introduced in IOS version 12.4(6)T. You can find out more info about it at the following two links:

In addition, you can check out Cisco’s feature navigator and search out the zone-based firewall feature to see what particular platforms support it.

I hope this has been helpful!


I’m looking to implement IPv6 on a C1111-4P acting as CPE/FTTH router. This would require me to implement stateful firewalling as a simple NAT overflow setup like with IPv4 will not suffice.

So far I’ve come up with the following config:

class-map type inspect match-any SP_LAN-TO-WAN
 match protocol tcp
 match protocol udp
 match protocol icmp
policy-map type inspect PM_LAN-TO-WAN
 class type inspect SP_LAN-TO-WAN
 class class-default
zone security LAN
zone security WAN
zone-pair security LAN-TO-WAN source LAN destination WAN
 description LAN-TO-WAN TRAFFIC
 service-policy type inspect PM_LAN-TO-WAN
zone-pair security WAN-TO-LAN source WAN destination LAN
 description WAN-TO-LAN TRAFFIC

interface GigabitEthernet0/0/0
 description outside
 ip nat outside
 zone-member security WAN

interface GigabitEthernet0/0/1
 description inside
 ip nat inside
 zone-member security LAN

The goal is to simply allow all normal traffic from LAN to WAN. Is this the way to go or is there a batter way to match “all traffic” instead of matching on tcp/udp/icmp ?

It seems enabling ZBFW with the config above reduces the throughput with ~ 20%. And during some iperf tests the following message is logged:

> %IOSXE_QFP-2-LOAD_EXCEED: Slot: 0, QFP:0, Load 100% exceeds the setting threshold 80%.
> 5 secs traffic rate on QFP: Total Input: 64546 pps (64.5 kpps), 730304048 bps (730.3 mbps),  Total Output: 64447 pps (64.4 kpps), 732756136 bps (732.8 mbps).

Hello Fabian

Your configuration seems to be mostly correct for stateful firewalling using ZBF. The class-map you have created is matching TCP, UDP and ICMP protocols, which should cover most of the traffic.

However, if you want to match all traffic, you can modify your class-map to match all IP traffic instead, like this:

class-map type inspect match-any SP_LAN-TO-WAN
 match protocol ip

This will match all IP traffic, not just TCP, UDP and ICMP.

Regarding the performance issue, ZBF can indeed introduce some overhead as it requires more processing power to inspect packets. The message you’re seeing indicates that the router’s CPU is reaching its limit, and this is likely the reason for your decrease in throughput. You might want to consider upgrading your hardware if you’re pushing a lot of traffic through the router and need to use ZBF.

Alternatively, you could try to optimize your policy-map to reduce the CPU load. For example, you could try to limit the inspection to only the traffic you’re really interested in, or you could try to use the ‘pass’ action for some traffic instead of ‘inspect’.

Lastly, I would recommend you monitor the CPU usage regularly and during different times of the day to get a better understanding of the load on the router and what kinds of traffic patterns are causing this excess usage. This can help you to better plan for capacity and possible hardware upgrades. Let us know how you get along!

I hope this has been helpful!


1 Like