Named updating zone log
Some organizations thus opt to deploy a standalone device to handle each connection at a branch office.
The MPLS connection terminates to a branch-level router which supports BGP and offers flexible physical interface options.
A security zone is a group of routed interfaces which are intended to be treated similarly from a security perspective.
For example, if you have two redundant Internet connections from an edge router, both could be placed into a shared "untrusted" zone: It is irrelevant from a security perspective which is the primary connection and which is for failover.
For example, we don't want to risk a guest bringing in a laptop infected with a spambot, sending out spam from our Internet connection, and getting our organization's IP space blacklisted. Router(config)# policy-map type inspect Trusted_to_Internet Router(config-pmap)# class type inspect All_Protocols Router(config-pmap-c)# inspect Router(config-pmap-c)# policy-map type inspect Guest_to_Internet Router(config-pmap)# class type inspect Guest_Protocols Router(config-pmap-c)# inspect Internet Router(config-sec-zone-pair)# service-policy type inspect Guest_to_Internet Router(config-sec-zone-pair)# zone-pair security Trusted Router(config-sec-zone-pair)# service-policy type inspect Trusted Router# show policy-map type inspect zone-pair policy exists on zp Trusted Zone-pair: Trusted Service-policy inspect : Trusted Class-map: class-default (match-any) Match: any Pass 10 packets, 800 bytes policy exists on zp Trusted-Internet Service-policy inspect : Trusted_to_Internet Class-map: All_Protocols (match-any) Match: protocol tcp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol icmp 1 packets, 80 bytes 30 second rate 0 bps ...A connection into the internal network, however, would be assigned to a separate, trusted zone.Additional zones can also be created with levels of trust which might fall in between the two; for example, a guest wireless network or corporate extranet.We'll create three zone pairs to meet our requirements: Finally, we'll define and apply our security policies to the zone pairs.Policies are defined as inspection policy maps, which are very similar in construct to policy maps used for quality of service (Qo S) classification and marking.
Search for named updating zone log:
This design is certainly functional and very flexible, however the initial cost of deploying three relatively expensive infrastructure devices in this manner can be prohibitive.