Home » Cisco » 210-260 » When is "Deny all" policy an exception in Zone Based Firewall
When is "Deny all" policy an exception in Zone Based Firewall
A. traffic traverses 2 interfaces in same zone
B. traffic sources from router via self zone
C. traffic terminates on router via self zone
D. traffic traverses 2 interfaces in different zones
E. traffic terminates on router via self zone
Correct Answer: A
Explanation/Reference:
+ There is a default zone, called the self zone, which is a logical zone. For any packets directed to the router directly (the destination IP represents the packet is for the router), the router automatically considers that traffic to be entering the self zone. In addition, any traffic initiated by the router is considered as leaving the self zone.
By default, any traffic to or from the self zone is allowed, but you can change this policy. + For the rest of the administrator-created zones, no traffic is allowed between interfaces in different zones.
+ For interfaces that are members of the same zone, all traffic is permitted by default.
traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
Hello guys, the issue gets confusing, take a look:
http://cynetsch.blogspot.com/2013/08/ccna-security-rules-for-applying-zone.html
This question should have a “choose two” option.
Correct answer is C
I think the options on this questions are twisted. The problem is with answer A is that if you create a policy to prevent X to reach Z (both in the same zone) and don’t create a permit any any, it WILL reach the implicit deny. Now consider this paper from Cisco where it says:
The Self zone is the only exception to the default
“deny all” policy. All traffic to any router interface is allowed until explicitly denied.
Page 18.3:
https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/fwzbf.pdf