Configuring ZFW Application Cisco Activity Language (CPL)
ZFW is configured application the new command set of Cisco Activity Language (CPL). CPL is the new architecture to enable
ZFW. The architecture is agnate to the Modular QoS CLI (MQC) in application class-map to analyze the cartage and the
action activated in a activity map.
Several accomplish are appropriate to complete the configuration. Although the arrangement of tasks that follows is not
important, some tasks depend on anniversary other. For example, class-map charge be configured afore it can be
used in the policy-map. Similarly, the policy-map cannot be assigned to a zone-pair afore configuring the
policy-map itself, and so on.
The afterward tasks are appropriate to complete the ZFW agreement application the CPL:
Define zones
Define zone-pairs
Define class-map(s) that analyze the cartage that charge accept activity activated as it traverses a zone-pair
Define a policy-map to administer activity to the cartage in a class-map
Apply a policy-map to a zone-pair
Assign interface(s) to zones
Note
By default, cartage amid the zones is blocked unless an absolute activity dictates the permission.
Based on Figure 5-8, Archetype 5-7 shows a actual basal ZFW agreement that uses the new CPL command set in
two zones.
Figure 5-8. Basal ZFW for Two-Zone Setup
Example 5-7. Basal ZFW Agreement Application CPL
Code View:
class-map blazon audit match-any myclass
match agreement tcp
match agreement udp
match agreement icmp
!
policy-map blazon audit mypolicy
class blazon audit myclass
inspect
!
zone aegis private
zone aegis public
!
zone-pair aegis mypair antecedent clandestine destination public
service-policy blazon audit mypolicy
!
Interface FastEthernet0/0
zone-member aegis private
!
interface FastEthernet0/1
zone-member aegis public
!