A zone can be thought of as a logical area where devices with the same trust level reside. A zone can have one more interface but an interface can only belong to one zone. There is a default zone called self zone. Any packet directed to the router or firewall is considered to be entering the self zone. By default, any traffic to or from the self zone is allowed but that can be changed.
The zone that has all the trusted devices is most commonly known as Inside zone and the zone which has untrusted devices is referred to as an Outside zone. There is also a 4th zone which includes devices with trust level greater than a device on the public network but less than a device in an Inside zone. This zone is called the Demilitarized zone (DMZ).
Cisco uses a language called the cisco common classification policy language (C3PL). C3PL can be used to inspect or block the traffic passing between zones. C3PL uses maps to achieve this.
There are 3 primary maps used by C3PL
- Class Maps
- Policy Maps
- Service Policies
Class Maps are used to identify traffic. Traffic can be matched based on layer 3 through layer 7 of OSI Model. Class Maps can also refer to access-list or call other class maps to identify traffic. Class Map can specify that either all conditions to identify traffic match by using match-all or any specific condition matches by using match-any.
Policy Maps are the actions that should be taken after the traffic has been identified by class maps.
Service policies apply the policies, identified by policy maps to zone pairs.
The following lab will explain these concepts.