Workbook 2 Lab 4. 6.1 Traffic Filtering

This has been by far the hardest thing to comprehend for me. I think that I am looking at this the wrong way and it is just confusing for me...

This exersice is about ZBF originally...This technology is relatively simple for this scenario, the extrmely confusing thing for me is the VRF tunnel/route redistribution done on R6. If someone could please try to explain this it would be much appreciated. Here is the scenario:


Configure a filtering policy on R6 to conform to the following requirements:

• Apply filtering to the VPN traffic exchanged between R4 and R6.

• The Frame-Relay connection should be the outside interface.

• Permit ICMP packets across the firewall (either direction).

• Permit HTTP and SSL access to a Web server at 204.12.X.100.

• Permit any TCP and UDP sessions initiated from behind R6 to


• Limit the aggregate rate of DNS and ICMP packets inbound to


• Use the Zone Based Firewall syntax to accomplish this task and apply the

most secure inspection rules where possible.


Seems relatively simple...but the solution is really not. 1st of all, the solution creates 2 tunnel interfaces source/destined to loopbacks on R6 (loopbacks are in the global table)...Each tunnel is in a different VRF. This creates a tunnel between the 2 VRFs.

This 1st step that is done (the tunnel between the VRFs) is the 1st thing that threw me off. How is this even possible?!?!. How could you configure the source and destination of a tunnel that is on a VRF to/from addresses that are in the global routing table?  

The other thing that confuses me about the solution is the route redistribution/final result of routing..

If anyone has gone through lab 4 WB2 I would really appreciate to chat about this specific scenario 



Sign In or Register to comment.