• Home
  • Articles
  • Routers
  • Cisco
  • Cisco Router Zone Based Firewall Configuation Guide - Video Tutorial

Cisco Router Zone Based Firewall Configuation Guide - Video Tutorial

Originally Cisco designed and released a structure for QOS called MQC (Modular QOS CLI). As this was designed mainly for QOS, Cisco decided to rename it (so that they could aim it to the security market) to C3PL (Cisco Common Classification Policy Language).

MQC (or in our case C3PL) is configured and built using the following components :

  • Class-map - Class-maps allow you to define which traffic you which to "inspect". This can be done via specifying an interface, ACL or NBAR (Network based Application recognition). NBAR allows you define traffic by application. This works by determining the protocol type based on the application header.
  • Policy-map - Policy-maps allows you to define which action you want to perform on your traffic.


Within this example we will configure a based basic zone based firewall rule within a Cisco 3725 router.
This rule will allow a network to reach an internal SMTP server. The steps that we follow are:

  1. Create a class-map
  2. Assign a policy map and assign the class-map to the policy map. Note: you can only have one policy map per zone pair.
  3. Assign Zones to our interfaces
  4. Create a Zone pair using these newly created zones and assign the policy map to it.
  5. Go into your firewall rule based and define the permitted IP addresses.

Note: To ensure you have all the required firewall rules in place, such as allow management traffic etc, run the firewall wizard which will setup all the rules automatically.

Hint: You can see how to configure and enable SDM on your router here.

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001