Here is a solution for configuring a transparent firewall policy for traffic across bridge group.
Two or more interfaces are configured in IEEE bridge-group and routing to other subnets via Bridge Virtual Interface (BVI). The transparent firewall only apply to traffic crossing the bridge, not for traffic that leaves the bridge-group via BVI.Configure policy-map to inspect X windows :
conf t
ip port−map user−Xwindows port tcp from 6900 to 6910
!
class−map type inspect match−any Xwindows−class
match protocol user−Xwindows
!
policy−map type inspect servers−clients−policy
class type inspect Xwindows−class
inspect
!
Configure bridge & assign zones to router interfaces
conf t
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
zone security clients
zone security servers
!
int vlan 1
bridge−group 1
zone−member security clients
!
int vlan 2
bridge−group 1
zone−member security servers
Configure BVI interface and assign zone security member
!
interface bvi1
zone-member security private
No comments:
Post a Comment