Cisco Zone-Based Firewall (ZBFW) — Zones, Zone-Pairs, Policy-Maps
How Cisco's Zone-Based Firewall models a router as a set of security zones with policy-maps controlling traffic between them. Zone-pairs, class-based policy, the self zone, and typical enterprise deployments.
- **ZBFW** groups interfaces into **zones** and controls traffic with **zone-pair policies**. Every interface must belong to a zone; traffic between zones is denied by default until a policy permits it.
- Config pattern: class-map (what traffic) → policy-map (what to do — inspect/pass/drop) → zone-pair (from which zone to which). Same MQC syntax as QoS.
- The **self zone** represents the router's own IP addresses. Special policies control traffic to/from the router itself (SSH, SNMP, routing protocols).
The one-sentence mental model
ZBFW turns a Cisco router into a stateful firewall by grouping interfaces into zones and writing rules for zone-to-zone traffic flows. Instead of “ACL on interface X inbound”, you say “traffic from the INSIDE zone to the OUTSIDE zone matches this class; do this action.” One policy per direction per zone-pair.
The pieces
Zone
A logical group of interfaces sharing the same security profile. Common zones:
- INSIDE — trusted LAN interfaces
- OUTSIDE — untrusted internet-facing interfaces
- DMZ — semi-trusted, publicly-reachable servers
- VPN — remote-access VPN termination
- SELF — implicit zone that includes the router’s own IP addresses. Always present.
Every interface must belong to exactly one zone. An unassigned interface is treated as if in no zone, and by default, traffic to/from it is denied.
Zone-pair
A directional relationship — traffic from zone A to zone B. Policy is applied to the pair. INSIDE → OUTSIDE is one zone-pair; OUTSIDE → INSIDE is a different one.
Traffic between interfaces in the same zone is permitted by default (no zone-pair needed).
Traffic between two zones with no zone-pair is denied by default.
Class-map
Identifies traffic — inspect type class-maps (specific to ZBFW):
class-map type inspect match-any WEB-TRAFFIC
match protocol http
match protocol https
match protocol dns
Policy-map
Applies an action to matched traffic:
policy-map type inspect INSIDE-TO-OUTSIDE
class type inspect WEB-TRAFFIC
inspect
class type inspect INSIDE-TO-OUTSIDE-DENY
drop log
class class-default
drop
Actions:
- inspect — stateful; automatically permits return traffic
- pass — stateless permit; doesn’t track state (used for asymmetric flows or when explicit inspection is unwanted)
- drop — deny
- log — modifier on drop for logging
Zone-pair binding
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE
Traffic ingressing from an INSIDE-zone interface heading to an OUTSIDE-zone interface hits this policy.
Interface assignment
zone security INSIDE
zone security OUTSIDE
interface GigabitEthernet0/1
zone-member security INSIDE
interface GigabitEthernet0/2
zone-member security OUTSIDE
The self zone
self is the implicit zone representing the router itself. Traffic destined to a router IP or generated by the router hits the self zone.
By default, traffic from any zone to self is permitted, and self to any zone is permitted. This is a design choice so you don’t lock yourself out during config. But it’s also a security hole.
For a hardened box, add explicit zone-pairs to self:
class-map type inspect match-any MGMT-ALLOWED
match protocol ssh
match protocol snmp
policy-map type inspect FROM-INSIDE-TO-SELF
class type inspect MGMT-ALLOWED
inspect
class class-default
drop
zone-pair security INSIDE-TO-SELF source INSIDE destination self
service-policy type inspect FROM-INSIDE-TO-SELF
Now only SSH and SNMP from INSIDE reach the router itself. Everything else drops.
Typical enterprise pattern
Three zones: INSIDE, OUTSIDE, DMZ. Zone-pairs:
- INSIDE → OUTSIDE — inspect (allow LAN to internet, stateful, return traffic auto-permitted)
- DMZ → OUTSIDE — inspect (allow servers to update, reach out for external APIs)
- OUTSIDE → DMZ — inspect only specific services (HTTP/HTTPS to web server, DNS to DNS server)
- INSIDE → DMZ — inspect (users reach servers)
- DMZ → INSIDE — usually drop (no reason for DMZ to initiate to LAN)
- OUTSIDE → INSIDE — drop (inbound blocked by default, no zone-pair needed)
Common exam / real-world mistakes
- Forgetting to assign every interface to a zone. Unassigned interfaces can’t send or receive across zones. Common cause of “why is my WAN not working after ZBFW”.
- Missing the return-path zone-pair. ZBFW is stateful with
inspect— return traffic is auto-permitted. But if youpassinstead ofinspect, you need explicit both-direction zone-pairs. - Locking yourself out via
selfzone. If you configure a zone-pair toselfand get the classification wrong, SSH stops working. Test out-of-band access before applying. - Overlapping class-maps. Class-maps in a policy-map are top-down, first match wins. Order matters.
- Assuming ZBFW replaces ACLs. Interface ACLs still work below ZBFW. Both are evaluated. Use one or the other consistently.
- Turning on ZBFW without a change window. Any misconfiguration = production outage. Always deploy with a rollback plan.
Verifying
show zone security ! zones and their interfaces
show zone-pair security ! zone-pairs and their policies
show policy-map type inspect zone-pair ! runtime hit counters per class
show policy-firewall sessions ! active stateful sessions
Cheat strip
Model zones (groups of interfaces) + zone-pairs (directional rules)
Default same-zone traffic ALLOWED
different-zone traffic DENIED (until zone-pair permits)
Special self zone = the router itself (SSH/SNMP/routing)
Config flow class-map inspect → policy-map inspect → zone-pair → apply
Actions inspect (stateful, returns permitted) | pass | drop | log
Typical zones INSIDE | OUTSIDE | DMZ | VPN | self
Verify show zone security
show zone-pair security
show policy-firewall sessions
Practice — quick check
A scenario each round. Take your time — there's a Next button whether you're right or wrong.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.
Related topics
Access Control Lists (ACLs)
Definitive CCNA-level ACL guide — first-match-wins, implicit deny, wildcard masks, standard vs extended vs named, direction (in vs out), the established keyword, time-based ACLs, named-ACL editing, 9 worked scenarios, and the ACL debug workflow.
Security FundamentalsCoPP — Control Plane Policing
Why routers need CoPP, how it rate-limits traffic destined to the CPU (routing protocols, SNMP, SSH, ARP), and the classify/police policy shape CCNP ENCOR tests.
IP ServicesNAT & PAT
Definitive CCNA-level NAT guide — static NAT, dynamic NAT, PAT/overload, the four inside/outside terms, port forwarding, CGNAT, NAT64 brief, hairpin NAT, translation table limits, 8 worked scenarios, and the NAT debug workflow.
Get the free CCNA 12-week roadmap
You're already reading up on Cisco Zone-Based Firewall (ZBFW) — Zones, Zone-Pairs, Policy-Maps. The roadmap is the order I recommend studying every CCNA topic in — with what to lab each week and where Cisco Zone-Based Firewall (ZBFW) — Zones, Zone-Pairs, Policy-Maps fits. A written personal reply, not an autoresponder. Expect it within one business day.
Personal reply from a senior network engineer. No third-party tracking. Unsubscribe any time.
