配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性

<!DOCTYPE html> <html xmlns:fb="//www.facebook.com/2008/fbml" xmlns:og="//opengraphprotocol.org/schema/" lang="zh" xml:lang="zh" class="no-touch no-js"> <head> <meta charset="utf-8"> <meta name="HandheldFriendly" content="True" /> <meta name="MobileOptimized" content="320" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <meta name="rei" content="3/2/2022 10.39am est" /> <script tyle="text/javascript" src="/content/dam/cdc/j/cdcrSwitch.js"></script> <script type="text/javascript"> if (typeof cdc === "undefined"){ cdc = {}; } cdc.localizedLang="zh_tw"; if (window.cdcext === undefined) { window.cdcext = {}; } cdcext.customEnvironment = "prod"; if (window.cdclocale === undefined) { window.cdclocale = {}; } cdclocale.locale = cdc.localizedLang=="en/us"?"en_us":cdc.localizedLang; </script> <script src="/c/dam/cdc/t/ctm-core.js"></script> <script> window['adrum-start-time'] = new Date().getTime(); window.environ = "prod" ; </script> <script> if (window.cpe === undefined) { window.cpe = {}; } cpe.accountName = "prod"; cpe.config = ["cinf","dsc","pps"]; cpe.hideMethod = "elements"; window.targetGlobalSettings = JSON.parse('{\x22timeout\x22:4000}'); window.targetPageParamsAll = () => JSON.parse('{\x22entity\x22:\x22{\\\x22id\\\x22:\\\x221661236223222313\\\x22,\\\x22categoryId\\\x22:\\\x22Products,Security,TSD Products Configuration Example\\\x22}\x22}'); const bullseyeLibrary = `/etc.clientlibs/cisco-cdc/clientlibs/clientlib-external/resources/external/bullseye.js`; import(bullseyeLibrary); </script> <script src="/etc.clientlibs/cisco-cdc/clientlibs/clientlib-external/resources/regional-mbox/regional-mbox.js"></script> <title>配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性 - Cisco</title> <meta name="format-detection" content="telephone=no"> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta name="description" content="本檔案介紹Cisco IOS®防火牆功能集的新組態模式。" /> <meta name="title" content="配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性" /> <meta name="documentId" content="200141" /> <meta name="templateName" content="eot" /> <meta name="PID" content="FL37-H=,FR-C6FW" /> <meta name="SecondaryPID" content="WAAS-PLR-6000,WAVE-W-150K-6.4-K9,WAVE-W-12K-6.4-K9,WAVE-W-150K-6.4NPE,WAVE-W-50K-6.4-K9,WAVE-W-12K-6.4NPE,WAVE-W-50K-6.4NPE,C1-WAAS-RTU-750,C1-WAAS-CM-VIRT-K9,WAAS-RTU-200,WAAS-MBL-CLST-LIC=,WAAS-RTU-2500S,WAAS-ENT-VAPP-K9,WAAS-RTU-6K,WAAS-RTU-2500,WAAS-MBL-PRM-K9,WAAS-RTU-1300U6K,WAAS-RTU-1300S,WAAS-RTU-1300,WAAS-RTU-1300U2500,WAAS-RTU-2500U6K,WAAS-MBL-CLST-LIC,SF-WAAS-4.1-SS-K9,SF-WAAS-4.2-SAS-K9,SFWAAS5.5SM-NPE,SF-WAAS-6.2-WAV-K9,SM9-UCSE-NATIVE,SF-WAAS-4.2-SA-K9,SF-WAAS-4.2-NM-K9,SM7-WAAS,SFWAAS4.2SM-NPE-K9,SL-6K-AKC,SF-WAAS-5.5-SM-K9,SFWAAS5.5-WAV-NPE,SF-WAAS-4.1-K9,SFWAAS4.2NM-NPE-K9,SL-18K-AKC,SFWAAS5.5WAVNPE,SF-WAAS-6.1-SM-K9,SL-750-AKC,SF-W2K8R2,SM9-WAAS-APP,SL-50K-AKC=,SF-WAAS-5.5-WAV-K9,SFWAAS6.1WAVNPE,SFWAAS6.2WAVNPE,SFWAAS-5.3-WAV-NPE,SL-6K-AKC=,SL-200-AKC=,SL-200-AKC,SFWAAS6.1SM-NPE,SF-WAAS-4.1-SAS-K9,SL-18K-AKC=,SL-750-AKC=,SL-50K-AKC,SFWAAS5.5-SM-NPE,SF-VWAAS-5.5-K9,SF-WAAS-6.1-WAV-K9,PRM-WAAS-VBLADE,PRM-WAAS-WMVID-NM,PRM-WAAS-MAPI,PRM-WAAS-MAPI-NM,DVD-I44-NPE-5.3,DVD-I4K-NPE-6.1,DVD-I44-5.2-K9,DVD-I44-NPE-5.5,DVD-I43-NPE-5.5,DVD-I43-5.5-K9,DVD-I4K-6.2-K9=,DVD-I44-5.5-K9,DVD-I44-5.3-K9,DVD-I44-NPE-5.4,DVD-I4K-6.1-K9,DVD-I4K-NPE-6.2=,CSP-W-150K-6.4-K9,DVD-I44-5.4-K9,WAAS-CM-VIRT-K9" /> <meta property="fb:app_id" content="156494687694418" /> <meta name="ioContentSource" content="support" /> <meta name="concept" content="Cisco IOS Firewall" /> <meta name="secondaryConcept" content="Cisco Wide Area Application Services (WAAS) Software" /> <meta name="docType" content="TSD Products Configuration Example" /> <meta name="iaPath" content="cisco.com#Products#Cisco Products#Security#Network Security#Integrated Threat Control#Cisco IOS Firewall" /> <meta name="contentType" content="cisco.com#TW#postSales" /> <meta name="locale" content="TW" /> <meta name="language" content="zh" /> <meta name="country" content="TW" /> <meta name="hub" content="Enterprise Networks" /> <meta name="CCID_Page" content="cc001775" /> <meta name="date" content="Sat Aug 20 19:21:41 PDT 2022" /> <meta name="sourceGroup" content="TACAuthoredSP" /> <meta name="accessLevel" content="Guest" /> <meta name="accessLevel" content="Customer" /> <meta name="accessLevel" content="Partner" /> <meta property="og:site_name" content="Cisco" /> <meta property="og:type" content="website" /> <meta property="og:title" content="配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性" /> <meta property="og:description" content="本檔案介紹Cisco IOS®防火牆功能集的新組態模式。" /> <meta property="og:url" content="https://www.cisco.com/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html" /> <link rel="canonical" href="https://www.cisco.com/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="x-default" href="https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="pt-br" href="https://www.cisco.com/c/pt_br/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="es-mx" href="https://www.cisco.com/c/es_mx/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="ko-kr" href="https://www.cisco.com/c/ko_kr/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="it-it" href="https://www.cisco.com/c/it_it/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="ja-jp" href="https://www.cisco.com/c/ja_jp/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="de-de" href="https://www.cisco.com/c/de_de/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="fr-ca" href="https://www.cisco.com/c/fr_ca/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="ar-ae" href="https://www.cisco.com/c/ar_ae/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="nl-nl" href="https://www.cisco.com/c/nl_nl/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="zh-cn" href="https://www.cisco.com/c/zh_cn/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="zh-tw" href="https://www.cisco.com/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <link rel="alternate" hreflang="en-us" href="https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html"/> <meta name="Tech Zone URL" content="/t5/IOS-Firewall-and-Content/Configure-Cisco-IOS-Zone-Based-Firewall-Interoperability-with/ta-p/768902"/> <script src="/etc.clientlibs/clientlibs/granite/jquery.min.js"></script> <script src="/etc.clientlibs/clientlibs/granite/utils.min.js"></script> <script src="/etc.clientlibs/clientlibs/granite/jquery/granite.min.js"></script> <script src="/etc.clientlibs/foundation/clientlibs/jquery.min.js"></script> <script src="/etc.clientlibs/foundation/clientlibs/shared.min.js"></script> <script src="/etc.clientlibs/cq/personalization/clientlib/underscore.min.js"></script> <script src="/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js"></script> <script src="/etc.clientlibs/cq/personalization/clientlib/personalization/kernel.min.js"></script> <script type="text/javascript"> $CQ(function() { CQ_Analytics.SegmentMgr.loadSegments("\/etc\/segmentation"); CQ_Analytics.ClientContextUtils.init("\/c\/dnc\/etc\/clientcontext\/default", "\/content\/zh_tw\/support\/docs\/security\/ios\u002Dfirewall\/200141\u002DIOS\u002DZone\u002DBased\u002DFirewall\u002Dinteroperabilit"); }); </script> <script src="/etc/designs/cdc/clientlibs/responsive/js/foundation.min.js"></script> <link rel="stylesheet" href="/etc/designs/cdc/clientlibs/responsive/css/responsive.min.css" type="text/css"> <script> sessionStorage.setItem("logOutIntermediateMessage", '您即將登出。'); </script>  <script type="application/ld+json"> [ { "@context": "http://www.schema.org", "@type": "WebPage", "name": "配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性", "url": "https://www.cisco.com/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html", "description": "本檔案介紹Cisco IOS®防火牆功能集的新組態模式。", "publisher": { "@type": "Corporation", "name": "Cisco" } }] </script>    <script>!function(e){var n="https://s.go-mpulse.net/boomerang/";if("False"=="True")e.BOOMR_config=e.BOOMR_config||{},e.BOOMR_config.PageParams=e.BOOMR_config.PageParams||{},e.BOOMR_config.PageParams.pci=!0,n="https://s2.go-mpulse.net/boomerang/";if(window.BOOMR_API_key="GKZXC-NS3SU-A7VFH-HKBHM-U7LKH",function(){function e(){if(!o){var e=document.createElement("script");e.id="boomr-scr-as",e.src=window.BOOMR.url,e.async=!0,i.parentNode.appendChild(e),o=!0}}function t(e){o=!0;var n,t,a,r,d=document,O=window;if(window.BOOMR.snippetMethod=e?"if":"i",t=function(e,n){var t=d.createElement("script");t.id=n||"boomr-if-as",t.src=window.BOOMR.url,BOOMR_lstart=(new Date).getTime(),e=e||d.body,e.appendChild(t)},!window.addEventListener&&window.attachEvent&&navigator.userAgent.match(/MSIE [67]\./))return window.BOOMR.snippetMethod="s",void t(i.parentNode,"boomr-async");a=document.createElement("IFRAME"),a.src="about:blank",a.title="",a.role="presentation",a.loading="eager",r=(a.frameElement||a).style,r.width=0,r.height=0,r.border=0,r.display="none",i.parentNode.appendChild(a);try{O=a.contentWindow,d=O.document.open()}catch(_){n=document.domain,a.src="javascript:var d=document.open();d.domain='"+n+"';void(0);",O=a.contentWindow,d=O.document.open()}if(n)d._boomrl=function(){this.domain=n,t()},d.write("<bo"+"dy onload='document._boomrl();'>");else if(O._boomrl=function(){t()},O.addEventListener)O.addEventListener("load",O._boomrl,!1);else if(O.attachEvent)O.attachEvent("onload",O._boomrl);d.close()}function a(e){window.BOOMR_onload=e&&e.timeStamp||(new Date).getTime()}if(!window.BOOMR||!window.BOOMR.version&&!window.BOOMR.snippetExecuted){window.BOOMR=window.BOOMR||{},window.BOOMR.snippetStart=(new Date).getTime(),window.BOOMR.snippetExecuted=!0,window.BOOMR.snippetVersion=12,window.BOOMR.url=n+"GKZXC-NS3SU-A7VFH-HKBHM-U7LKH";var i=document.currentScript||document.getElementsByTagName("script")[0],o=!1,r=document.createElement("link");if(r.relList&&"function"==typeof r.relList.supports&&r.relList.supports("preload")&&"as"in r)window.BOOMR.snippetMethod="p",r.href=window.BOOMR.url,r.rel="preload",r.as="script",r.addEventListener("load",e),r.addEventListener("error",function(){t(!0)}),setTimeout(function(){if(!o)t(!0)},3e3),BOOMR_lstart=(new Date).getTime(),i.parentNode.appendChild(r);else t(!1);if(window.addEventListener)window.addEventListener("load",a,!1);else if(window.attachEvent)window.attachEvent("onload",a)}}(),"".length>0)if(e&&"performance"in e&&e.performance&&"function"==typeof e.performance.setResourceTimingBufferSize)e.performance.setResourceTimingBufferSize();!function(){if(BOOMR=e.BOOMR||{},BOOMR.plugins=BOOMR.plugins||{},!BOOMR.plugins.AK){var n=""=="true"?1:0,t="",a="bdpnbeqxgy4r2z557xia-f-8d83e250b-clientnsv4-s.akamaihd.net",i="false"=="true"?2:1,o={"ak.v":"39","ak.cp":"61004","ak.ai":parseInt("271834",10),"ak.ol":"0","ak.cr":4,"ak.ipv":4,"ak.proto":"http/1.1","ak.rid":"180a939","ak.r":37669,"ak.a2":n,"ak.m":"dsca","ak.n":"essl","ak.bpcip":"8.222.208.0","ak.cport":54508,"ak.gh":"23.53.33.212","ak.quicv":"","ak.tlsv":"tls1.2","ak.0rtt":"","ak.0rtt.ed":"","ak.csrc":"-","ak.acc":"reno","ak.t":"1740504528","ak.ak":"hOBiQwZUYzCg5VSAfCLimQ==sFOtmQ6repEJluoVbuMdbIcc122IbDi6i3JBVT38lupI48XqYg1vnyP0p/qO4a5AKF1GN5htZ7VKvMw3dYGbhCisWYF4QG0jgC3CGqX5uZuloNxYqLb8Lvle1oAlVlfPX/QfT9RwB2Mjv0Z82+DChEdG3EnP7eLFn3IRwI+dVN48hZGLyDstNVtHKARrzxMaDSxH4t4MJ/U2QvEfttXSR1VtEOVf2slqwh/RlTF8LACeFKKuAyW2SJSXUyaFNzqJzRV9NPiv9/6X/LPJaXxnmafGbv1qKb1Q+2ilOxSUgkoIbr45wkbS5NchbJATYUWuXO3h61+V8VzBLU+vfzcZqKdCItTU71jA8DVKMyMICG73ik+swXSHdq+Md8F5c80tuFTHxDBSjwKyGWh0fZIlD2t3M/cc9l//mIrspk8/OGc=","ak.pv":"521","ak.dpoabenc":"","ak.tf":i};if(""!==t)o["ak.ruds"]=t;var r={i:!1,av:function(n){var t="http.initiator";if(n&&(!n[t]||"spa_hard"===n[t]))o["ak.feo"]=void 0!==e.aFeoApplied?1:0,BOOMR.addVar(o)},rv:function(){var e=["ak.bpcip","ak.cport","ak.cr","ak.csrc","ak.gh","ak.ipv","ak.m","ak.n","ak.ol","ak.proto","ak.quicv","ak.tlsv","ak.0rtt","ak.0rtt.ed","ak.r","ak.acc","ak.t","ak.tf"];BOOMR.removeVar(e)}};BOOMR.plugins.AK={akVars:o,akDNSPreFetchDomain:a,init:function(){if(!r.i){var e=BOOMR.subscribe;e("before_beacon",r.av,null,null),e("onbeacon",r.rv,null,null),r.i=!0}return this},is_complete:function(){return!0}}}}()}(window);</script></head> <body id="wcq" class="fw-res cdc-support cdc-eot cdc-high-density cdc-full-width cdc-transform "> <div id="fw-skiplinks"> <ul class="container"> <li><a id="skiplink-content" href="#fw-content">跳转到页面内容</a></li> <li><a id="skiplink-search" href="#">略過搜尋</a></li> <li><a id="skiplink-footer" href="#fw-footer-v2" class="last">跳转到页脚</a></li> </ul> </div> <script type="module" src="/site/web-components/tw/zh/cdc-header.js"></script> <cdc-header></cdc-header> <nav class="fw-c-header__seo-links" aria-hidden="true" style="display:none"> <ul> <li><a tabindex="-1" href="/c/zh_tw/index.html">Cisco.com 台灣</a></li> <li><a tabindex="-1" href="/c/zh_tw/products/index.html">產品與服務</a></li> <li><a tabindex="-1" href="//www.cisco.com/c/zh_tw/solutions/index.html">解決方案</a></li> <li><a tabindex="-1" href="/c/zh_tw/support/index.html">支援</a></li> <li><a tabindex="-1" href="/c/zh_tw/training-events.html">瞭解</a></li> <li><a tabindex="-1" href="/c/zh_tw/about/sitemap.html">探索思科</a></li> <li><a tabindex="-1" href="/c/zh_tw/buy.html">購買方式</a></li> <li><a tabindex="-1" href="/c/zh_tw/partners.html">合作夥伴首頁</a></li> <li><a tabindex="-1" href="/c/zh_cn/partners/partner-with-cisco.html?ccid=cc000864&dtid=odiprc001129">全新合作夥伴計畫</a></li> <li><a tabindex="-1" href="/c/zh_tw/partners/support-help.html">支援</a></li> <li><a tabindex="-1" href="/c/zh_tw/partners/tools.html">工具</a></li> <li><a tabindex="-1" href="//locatr.cloudapps.cisco.com/WWChannels/LOCATR/openBasicSearch.do">尋找思科合作夥伴</a></li> <li><a tabindex="-1" href="/c/en/us/partners/connect-with-a-partner.html">認識思科合作夥伴</a></li> <li><a tabindex="-1" href="//partnersuccess.cisco.com/becomeapartner">成為思科合作夥伴</a></li> </ul> </nav> <div id="fw-content" class="container grid"> <div class="row full blowout" data-owner="ID"> <div class="col full "> <nav id="fw-breadcrumb" class="data-based" data-owner="ID"> <ul itemscope itemtype="//schema.org/BreadcrumbList"> <li aria-hidden="true"><a href='#' class="skip"><span></span></a></li> <li itemprop='itemListElement' itemscope itemtype='//schema.org/ListItem'><a itemprop='item' href='/c/zh_tw/support/index.html'><span itemprop='name'>支援</span><meta itemprop='position' content='1' /></a><span class='caret'></span></li><li itemprop='itemListElement' itemscope itemtype='//schema.org/ListItem'><a itemprop='item' href='/c/zh_tw/support/all-products.html'><span itemprop='name'>產品資源</span><meta itemprop='position' content='2' /></a><span class='caret'></span></li><li itemprop='itemListElement' itemscope itemtype='//schema.org/ListItem'><a itemprop='item' href='/c/zh_tw/support/security/index.html'><span itemprop='name'>資安</span><meta itemprop='position' content='3' /></a><span class='caret'></span></li><li itemprop='itemListElement' itemscope itemtype='//schema.org/ListItem'><a itemprop='item' href='/c/zh_tw/support/security/ios-firewall/series.html'><span itemprop='name'>Cisco IOS 防火牆</span><meta itemprop='position' content='4' /></a><span class='caret'></span></li><li itemprop='itemListElement' itemscope itemtype='//schema.org/ListItem'><a itemprop='item' href='/c/zh_tw/support/security/ios-firewall/products-configuration-examples-list.html'><span itemprop='name'>配置示例和技術筆記</span><meta itemprop='position' content='5' /></a><span class='caret'></span></li> </ul> </nav> <script> if (window.cdc === undefined) { window.cdc = {}; } if (cdc.breadcrumb === undefined) { cdc.breadcrumb = (function () { let clone = document.querySelector('#fw-breadcrumb').cloneNode(true); let appendClone = function () { let hasBreadcrumb = document.querySelector('#fw-breadcrumb') !== null, firstMarquee = document.querySelectorAll('.dmc-mq')[0]; if (!hasBreadcrumb && firstMarquee !== undefined) { firstMarquee.querySelector('.frame .inset').insertBefore(this.clone, firstMarquee.querySelector('.frame .inset').firstElementChild); } }; return { clone: clone, appendClone: appendClone } }()); } //DE380224 var anchorChild = document.getElementsByTagName("a"); for(var i=0; i<anchorChild.length; i++){ if(anchorChild[i].getAttribute("itemprop")=="item") { if ( anchorChild[i].href.includes("%3Clocale%3E") ){ let anchorChildHREF = anchorChild[i].href; let docLocale = document.querySelector('meta[name="locale"]').getAttribute('content'); let docLanguage = document.querySelector('meta[name="language"]').getAttribute('content'); var docSeparator; if ((docLocale.toLowerCase() == "us") && (docLanguage.toLowerCase() == "en")) { docSeparator="/"; } else { docSeparator="_"; } let anchorURLReplace = docLanguage.toLowerCase() + docSeparator + docLocale.toLowerCase(); anchorChildHREF = anchorChildHREF.replace("%3Clocale%3E", anchorURLReplace); anchorChild[i].setAttribute('href', anchorChildHREF); } } } </script> <h1 id="fw-pagetitle" class="" data-owner="ID">配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性</h1> </div> </div>     <div class="row blowout wide-narrow-v2 visitedlinks">   <div class="col wide-v2"> <script> if (typeof(cdc) == "undefined") cdc={}; if (typeof(cdc.translations) == "undefined") cdc.translations={}; </script> <div class="docHeaderComponent base-blowout"> <div class="linksRow"> <img class="noprint tacLogo" src="/etc/designs/cdc/fw/i/TAC_lg-icon.png"/> <div class="toolbar"> <div class="noprint" id="saveModule"> <script type="text/javascript"> cdc.util.ensureNamespace("cdc.rc.savedoc"); cdc.rc.savedoc.isLoggedIn = false; cdc.rc.savedoc.save = "儲存"; cdc.rc.savedoc.saved = "已儲存"; </script> <button class="save"> <label>儲存</label> </button> </div> <div class="saveDocumentMessage login cdc-expandPanel" role="region" aria-live="polite"> <a href="/c/login/index.html?referer=/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html">登入</a>即可儲存內容 </div>   <script type="text/javascript"> jQuery(document).ready(function(){ jQuery('body').addClass('nonEnglishLocale'); cdc.translations.locale="zh_tw"; }); </script> <div class="noprint translations"> <a class="nonEnglish" href="https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.html" tabindex="-1"> <button type="button" class="translations-link anchor translationOptions simpleOverlay-trigger"> <div class="toolbarIcon translationsIcon"></div><label class="iconLabel" id="onlyForNonEn">英文</label> </button> </a> </div> <script type="text/javascript"> /* Specifically for books at the simple overlay trigger class on English locale pages, if its a non english locale do not add the trigger. */ if(jQuery('body').hasClass('cdc-books') && !jQuery('a').hasClass('nonEnglish')) { jQuery('.translations').addClass('simpleOverlay-trigger'); } </script> <div class="noprint downloadDocument" ><button type="button" class="view-download-list-link anchor" aria-expanded="false"><div class="toolbarIcon downloadIcon"></div><label class="iconLabel">下載</label></button></div> <div class="noprint printDocument js-only"><button type="button" class="anchor printPage"><div class="toolbarIcon printIcon"></div><label class="iconLabel">列印</label></button></div> </div> </div>  <div id="download-list-container" class="noprint panelRow" role="region" aria-live="polite" tabindex="-1"> <div class='download-list' aria-label="下載選項"> <h3>下載選項</h3> <ul> <li> <div class="fileText"> <a href="/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.pdf" class="download-pdf"><div class="fileIcon pdfIcon"></div>PDF</a> <span class="docSize">(367.7 KB)</span> <br /> <span class="description">在多種裝置上使用 Adobe Reader 檢視</span> </div> </li> <li> <div class="fileText"> <a href="/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.epub" class="download-epub"><div class="fileIcon epubIcon"></div>ePub</a> <span class="docSize">(185.1 KB)</span> <br /> <span class="description">在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視</span> </div> </li> <li> <div class="fileText"> <a href="/c/zh_tw/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit.mobi" class="download-mobi"><div class="fileIcon mobiIcon"></div>Mobi (Kindle)</a> <span class="docSize">(148.8 KB)</span> <br /> <span class="description">在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視</span> </div> </li> </ul> </div> </div> <div class="infobarClearFix"> <div class="infobar"> <div class="updatedDate"><span>已更新:</span> 2018 年 8 月 7 日</div> <div class="documentId"><span>文件 ID:</span>200141</div> </div> <div class="disclaimers support"> <div class="disclaimerButtons"> <div class="aboutBias"> <button>無偏見用語</button> </div> <div class="aboutTranslation"> <button>關於翻譯</button> </div> </div> <div class="biasfreeContent panel"> <h3>無偏見用語</h3> <p>本產品的文件集力求使用無偏見用語。針對本文件集的目的，無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言，或引用第三方產品的語言，因此本文件中可能會出現例外狀況。<a href="https://www.cisco.com/c/en/us/about/social-justice/inclusive-language-policy.html">深入瞭解</a>思科如何使用包容性用語。</p> </div> <div class="translationContent panel"> <h3>關於此翻譯</h3> <p>思科已使用電腦和人工技術翻譯本文件，讓全世界的使用者能夠以自己的語言理解支援內容。請注意，即使是最佳機器翻譯，也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責，並建議一律查看原始英文文件（提供連結）。</p> </div> </div> </div> </div> <script> jQuery(document).ready(function(){ if(jQuery("body").hasClass("cdc-eot-toc") && jQuery(".cdc-eot-toc").find(".DocumentHistory").length > 0){ jQuery(".cdc-eot-toc .seeRevisions").show(); if(jQuery(window).width() >= 768){ jQuery(".cdc-eot-toc .updatedDate").nextAll(".bullet").show(); } }else{ jQuery(".cdc-eot-toc .infobar .bullet").hide(); jQuery(".cdc-eot-toc .seeRevisions"); jQuery(".cdc-eot-toc .updatedDate"); } }) </script> <script src="/etc/designs/cdc/fw/clientlibs/granite-utils.min.js"></script> <script type="text/javascript"> if (typeof cdc === "undefined") cdc={}; if (typeof cdc.rc === "undefined") cdc.rc={}; </script> <script type="text/javascript"> // initialize dictionary for i18n cdc.util.ensureNamespace("cdc.rc"); cdc.rc.eotkeys = { showOnly5Products : "僅顯示 5 個產品", showAllRowsProducts : "顯示所有 nRows 產品", supportCommunityUrl : "https://community.cisco.com/t5/technology-and-support/ct-p/technology-support", supportCommunity : "思科社群", thankYou : "謝謝", viewersAlso : "客戶也檢視了", show : "顯示", more : "更多", showOnly3Documents: "僅顯示 3 份文件" }; </script> <div id="eot-doc-wrapper" > <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><div class="lia-message-template-summary-zone"> <div id="tg-body"> <div id="support-toc"> <h2>目錄</h2> <div class="toc-h2"> <a href="#anc0">簡介</a> </div> <div class="toc-h2"> <a href="#anc1">必要條件</a> </div> <div class="toc-h3"> <a href="#anc2">需求</a> </div> <div class="toc-h3"> <a href="#anc3"></a> </div> <div class="toc-h3"> <a href="#anc4">採用元件</a> </div> <div class="toc-h2"> <a href="#anc5">背景資訊</a> </div> <div class="toc-h2"> <a href="#anc6">Cisco IOS®防火牆的WAAS支援</a> </div> <div class="toc-h2"> <a href="#anc7">WAAS流量最佳化部署方案</a> </div> <div class="toc-h2"> <a href="#anc8">帶脫離路徑裝置的WAAS分支部署</a> </div> <div class="toc-h3"> <a href="#anc9">網路圖表</a> </div> <div class="toc-h3"> <a href="#anc10">配置和資料包流</a> </div> <div class="toc-h4"> <a href="#anc11">端到端WAAS流量</a> </div> <div class="toc-h4"> <a href="#anc12">CMS流量（向中央管理器註冊的WAAS裝置）</a> </div> <div class="toc-h3"> <a href="#anc13">ZBF會話資訊</a> </div> <div class="toc-h3"> <a href="#anc14">啟用WAAS和ZBF的客戶端路由器(R1)的工作配置</a> </div> <div class="toc-h3"> <a href="#anc15">帶內聯裝置的WAAS分支部署</a> </div> <div class="toc-h4"> <a href="#anc16">詳細資料</a> </div> <div class="toc-h3"> <a href="#anc17">組態</a> </div> <div class="toc-h3"> <a href="#anc18">ZBF與WAAS互操作性的限制</a> </div> <div class="toc-h2"> <a href="#anc19">驗證</a> </div> <div class="toc-h2"> <a href="#anc20">疑難排解</a> </div> <div class="toc-h2"> <a href="#anc21">相關資訊</a> </div> </div> <div class="lia-message-template-content-zone"> <p></p> <ul></ul> <p></p> <a class="auto_toc_anchor" name="anc0"></a> <h2 id="toc-hId-1793515010">簡介</h2> <p>本檔案介紹Cisco IOS®防火牆功能集的新組態模式。此新配置模型為多介面路由器提供了直觀的策略，提高了防火牆策略應用的粒度，並提供了預設的deny-all策略，該策略在應用顯式策略以允許所需流量之前禁止防火牆安全區域之間的流量。</p> <a class="auto_toc_anchor" name="anc1"></a> <h2 id="toc-hId--758641951">必要條件</h2> <a class="auto_toc_anchor" name="anc2"></a> <h3 id="toc-hId-787654879">需求</h3> <p>Cisco建議您瞭解Cisco IOS® CLI。</p> <a class="auto_toc_anchor" name="anc3"></a> <h3 id="toc-hId--1764502082"></h3> <a class="auto_toc_anchor" name="anc4"></a> <h3 id="toc-hId--21691747">採用元件</h3> <p>本文中的資訊係根據以下軟體和硬體版本：</p> <ul> <li>Cisco 2900系列路由器</li> <li>Cisco IOS®軟體版本15.2(4)M2</li> </ul> <p>本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路正在作用，請確保您已瞭解任何指令可能造成的影響。</p> <a class="auto_toc_anchor" name="anc5"></a> <h2 id="toc-hId-1917632093">背景資訊</h2> <p>基於區域的策略防火牆（也稱為區域策略防火牆、ZFW或ZBF）將防火牆配置從舊的基於介面的模型(CBAC)更改為更靈活、更易於理解的基於區域的模型。介面分配給區域，檢查策略應用於在區域之間移動的流量。區域間策略提供了相當大的靈活性和精細度，因此可以將不同的檢查策略應用於連線到同一路由器介面的多個主機組。防火牆策略使用Cisco®策略語言(CPL)進行配置，該語言採用分層結構，以定義對網路協定以及應用檢查的主機組的檢查。</p> <a class="auto_toc_anchor" name="anc6"></a> <h2 id="toc-hId--634524868">Cisco IOS®防火牆的WAAS支援</h2> <p>Cisco IOS<span>®</span>防火牆的廣域應用程式服務(WAAS)支援是在Cisco IOS®版本12.4(15)T中匯入。它提供整合防火牆，可最佳化符合安全要求的廣域網和應用加速解決方案，並具有以下優勢：</p> <ul> <li>通過全面的狀態檢測功能最佳化WAN</li> <li>簡化支付卡行業(PCI)合規性</li> <li>保護透明的WAN加速流量</li> <li>透明整合WAAS網路</li> <li>支援網路管理裝置(NME)廣域應用引擎(WAE)模組或獨立WAAS裝置部署</li> </ul> <p>WAAS具有自動發現機制，在初始三次握手期間使用TCP選項來透明地識別WAE裝置。自動發現後，最佳化流量流（路徑）會遇到TCP序列號的變化，以便使端點能夠區分最佳化流量和非最佳化流量。</p> <p>IOS®防火牆的WAAS支援允許根據前面提到的序列號變化調整用於第4層檢測的內部TCP狀態變數。如果Cisco IOS®防火牆注意到流量已成功完成WAAS自動發現，它允許流量流的初始序列號偏移，並保持最佳化流量流的第4層狀態。</p> <a class="auto_toc_anchor" name="anc7"></a> <h2 id="toc-hId-1108285467">WAAS流量最佳化部署方案</h2> <p>本節介紹兩種不同的WAAS流量最佳化方案，用於分支機構部署。WAAS流量最佳化與Cisco整合多業務路由器(ISR)上的Cisco防火牆功能配合使用。</p> <p>圖中顯示了使用Cisco防火牆進行端到端WAAS流量最佳化的示例。在此特定部署中，NME-WAE裝置與思科防火牆位於同一裝置上。網路快取通訊協定(WCCP)用於重新導向流量以進行偵聽。</p> <ul> <li>帶脫離路徑裝置的WAAS分支部署</li> <li>帶內聯裝置的WAAS分支部署</li> </ul> <a class="auto_toc_anchor" name="anc8"></a> <h2 id="toc-hId--1443871494">帶脫離路徑裝置的WAAS分支部署</h2> <p>WAE裝置可以是獨立的Cisco WAN自動化引擎(WAE)裝置，也可以是作為整合服務引擎安裝在ISR上的Cisco WAAS網路模組(NME-WAE)。</p> <p>圖中所示為WAAS分支機構部署，它使用WCCP將流量重定向到偏離路徑的獨立WAE裝置以進行流量攔截。此選項的配置與使用NME-WAE的WAAS分支部署相同。</p> <p><span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 423px;"><img src="/c/dam/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit-00.png"></span></p> <a class="auto_toc_anchor" name="anc9"></a> <h3 id="toc-hId-102425336">網路圖表</h3> <p><span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 703px;"><img src="/c/dam/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit-01.png"></span></p> <a class="auto_toc_anchor" name="anc10"></a> <h3 id="toc-hId-1130074382">配置和資料包流</h3> <p>此圖說明一個為端到端流量啟用WAAS最佳化和伺服器端存在集中管理系統(CMS)的示例設定。分支機構端和資料中心(DC)端的WAAS模組需要註冊到CMS才能運行。據觀察，CMS使用HTTPS與WAAS模組進行通訊。</p> <p><span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 602px;"><img src="/c/dam/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit-02.png"></span></p> <a class="auto_toc_anchor" name="anc11"></a> <h4 id="toc-hId-1075933358">端到端WAAS流量</h4> <p>此處的示例為使用WCCP將流量重定向到WAE裝置以進行流量攔截的Cisco IOS®防火牆提供端到端WAAS流量最佳化配置。</p> <p>第1部分。 IOS-FW WCCP相關配置：</p> <pre>ip wccp 61 ip wccp 62 ip inspect waas enable </pre> <p>第2部分。 IOS-FW策略配置：</p> <pre>class-map type inspect most-traffic match protocol icmp match protocol ftp match protocol tcp match protocol udp ! policy—map type inspect p1 class type inspect most—traffic inspect class class—default drop</pre> <p>第3部分。 IOS-FW區域和區域對配置：</p> <pre>zone security zone-in zone security zone-out zone security z-waas zone—pair security in—out source zone-in destination zone-out service—policy type inspect p1 zone—pair security out-in source zone-out destination zone-in service—policy type inspect p1</pre> <p>第4節：介面配置：</p> <pre>interface GigabitEthernet0/0 description Trusted interface ip address 172.16.11.1 255.255.255.0 ip wccp 61 redirect in zone—member security zone-in<br><br>! interface GigabitEthernet0/1 description Untrusted interface ip address 203.0.113.1 255.255.255.0 ip wccp 62 redirect in zone—member security zone-out</pre> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>附註</strong>：Cisco IOS®版本12.4(20)T和12.4(22)T中的新配置將整合服務引擎置於其自己的區域中，無需成為任何區域對的一部分。區域對配置在區域內和區域外之間。</p> <pre>interface Integrated—Service—Enginel/0 ip address 192.168.10.1 255.255.255.0 ip wccp redirect exclude in zone—member security z-waas </pre> <p>在Integrated - Service - Engine/0上未配置任何區域時，流量會隨以下丟棄消息被丟棄：</p> <pre>*Mar 9 11:52:30.647: %FW-6-DROP_PKT: Dropping tcp session 172.16.11.59:44191 172.16.10.10:80 due to One of the interfaces not being cfged for zoning with ip ident 0 </pre> <a class="auto_toc_anchor" name="anc12"></a> <h4 id="toc-hId--1476223603">CMS流量（向中央管理器註冊的WAAS裝置）</h4> <p>以下範例提供所列兩種情況的組態：</p> <ul> <li>使用WCCP將流量重定向到WAE裝置以進行流量攔截的Cisco IOS®防火牆的端到端WAAS流量最佳化配置</li> <li>允許CMS流量（從CMS裝置流入/流出CMS的WAAS管理流量）</li> </ul> <p>第1部分。 IOS-FW WCCP相關配置：</p> <pre>ip wccp 61 ip wccp 62 ip inspect waas enable</pre> <p>第2部分。 IOS-FW策略配置：</p> <pre>class-map type inspect most-traffic match protocol icmp match protocol ftp match protocol tcp match protocol udp policy—map type inspect p1 class type inspect most—traffic inspect class class—default drop </pre> <p>第2.1節：與CMS流量相關的IOS-FW策略：</p> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>附註</strong>：若要允許CMS流量通過，此處需要類對映：</p> <pre>class-map type inspect waas-special match access-group 123 policy-map type inspect p-waas-man class type inspect waas-special pass class class-default drop </pre> <p>第3部分。 IOS-FW區域和區域對配置：</p> <pre>zone security zone-in zone security zone-out zone security z-waas zone—pair security in—out source zone-in destination zone-out service—policy type inspect p1 zone—pair security out—in source zone-out destination zone-in service—policy type inspect p1 </pre> <p>第3.1節：IOS-FW CMS相關區域和區域對配置：</p> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>附註</strong>：區域對<strong>為</strong>out<strong>和out-waas</strong>是應用先前為CMS流量建立的策略所必需的。</p> <pre>zone-pair security waas-out source z-waas destination zone-out service-policy type inspect p-waas-man zone-pair security out-waas source zone-out destination z-waas service-policy type inspect p-waas-man</pre> <p>第4節：介面配置：</p> <pre>interface GigabitEthernet0/0<br> description Trusted interface<br> ipaddress 172.16.11.1 255.255.255.0<br> ip wccp 61 redirect in<br> zone—member security zone-in<br>!<br>interface GigabitEthernet0/1<br> description Untrusted interface<br> ip address 203.0.113.1 255.255.255.0<br> ip wccp 62 redirect in<br> zone—member security zone-out ! interface Integrated—Service—Enginel/0<br> ip address 192.168.10.1 255.255.255.0<br> ip wccp redirect exclude in<br> zone—member security z-waas </pre> <p>第5部分。 CMS流量的訪問清單。</p> <p style="background-image: url('http://www.cisco.com/en/US/i/templates/note.gif'); background-repeat: no-repeat; background-position: 2px 4px; height: auto; width: auto; padding: 10px 5px 10px 35px; margin-top: 10px; margin-bottom: 10px; border-top: 1px solid #ccc; border-bottom: 1px solid #ccc; overflow-x: hidden;"><strong>附註</strong>：用於CMS流量的訪問清單。它允許兩個方向的HTTPS流量，因為CMS流量是HTTPS。</p> <pre>access-list 123 permit tcp any eq 443 any access-list 123 permit tcp any any eq 443</pre> <a class="auto_toc_anchor" name="anc13"></a> <h3 id="toc-hId-2063538091">ZBF會話資訊</h3> <p>路由器R1後172.16.11.10的使用者訪問IP地址為172.16.10.10的遠端終端後託管的檔案伺服器，ZBF會話由內出區域對構建，然後路由器將資料包重定向到WAAS引擎進行最佳化。</p> <pre>R1#sh policy-map type inspect zone-pair in-out sess policy exists on zp in-out Zone-pair: in-out Service-policy inspect : p1 Class-map: most-traffic (match-any) Match: protocol icmp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol ftp 0 packets, 0 bytes 30 second rate 0 bps Match: protocol tcp 2 packets, 64 bytes 30 second rate 0 bps Match: protocol udp 0 packets, 0 bytes 30 second rate 0 bps Inspect Number of Established Sessions = 1 Established Sessions Session 3D4A32A0 (172.16.11.10:49300)=>(172.16.10.10:445) tcp SIS_OPEN/TCP_ESTAB Created 00:00:40, Last heard 00:00:10 Bytes sent (initiator:responder) [0:0] </pre> <p>R1-WAAS和R2-WAAS中構建的從內部主機到遠端伺服器的會話。</p> <p>R1-WAAS:</p> <pre>R1-WAAS#show statistics connection Current Active Optimized Flows: 1 Current Active Optimized TCP Plus Flows: 1 Current Active Optimized TCP Only Flows: 0 Current Active Optimized Single Sided Flows: 0 Current Active Optimized TCP Preposition Flows: 0 Current Active Auto-Discovery Flows: 1 Current Reserved Flows: 10 Current Active Pass-Through Flows: 0 Historical Flows: 13 D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,I:ICA,M:MAPI,N:NFS,S:SSL,W:WAN SECURE,V:VID EO, X: SMB Signed Connection ConnID Source IP:Port Dest IP:Port PeerID Accel RR 14 172.16.11.10:49185 172.16.10.10:445 c8:9c:1d:6a:10:61 TCDL 00.0% </pre> <p>R2-WAAS:</p> <pre>R2-WAAS#show statistics connection Current Active Optimized Flows: 1 Current Active Optimized TCP Plus Flows: 1 Current Active Optimized TCP Only Flows: 0 Current Active Optimized TCP Preposition Flows: 0 Current Active Auto-Discovery Flows: 0 Current Reserved Flows: 10 Current Active Pass-Through Flows: 0 Historical Flows: 9 D:DRE,L:LZ,T:TCP Optimization RR:Total Reduction Ratio A:AOIM,C:CIFS,E:EPM,G:GENERIC,H:HTTP,M:MAPI,N:NFS,S:SSL,V:VIDEO ConnID Source IP:Port Dest IP:Port PeerID Accel RR 10 172.16.11.10:49185 172.16.10.10:445 c8:9c:1d:6a:10:81 TCDL 00.0% </pre> <a class="auto_toc_anchor" name="anc14"></a> <h3 id="toc-hId--488618870">啟用WAAS和ZBF的客戶端路由器(R1)的工作配置</h3> <pre>R1#sh run Building configuration... Current configuration : 3373 bytes ! hostname R1 ! boot-start-marker boot bootstrap tftp c2900-universalk9-mz.SPA.153-3.M4.bin 255.255.255.255 boot system flash c2900-universalk9-mz.SPA.153-3.M4.bin boot-end-marker ! ip wccp 61 ip wccp 62 no ipv6 cef ! parameter-map type inspect global WAAS enable log dropped-packets enable max-incomplete low 18000 max-incomplete high 20000 multilink bundle-name authenticated ! license udi pid CISCO2911/K9 sn FGL171410K8 license boot module c2900 technology-package securityk9 license boot module c2900 technology-package uck9 license boot module c2900 technology-package datak9 hw-module pvdm 0/1 ! hw-module sm 1 ! class-map type inspect match-any most-traffic match protocol icmp match protocol ftp match protocol tcp match protocol udp ! policy-map type inspect p1 class type inspect most-traffic inspect class class-default drop ! zone security in-zone zone security out-zone zone security waas-zone zone-pair security in-out source in-zone destination out-zone service-policy type inspect p1 zone-pair security out-in source out-zone destination in-zone service-policy type inspect p1 ! interface GigabitEthernet0/0 description Connection to IPMAN FNN N6006654R bandwidth 6000 ip address 203.0.113.1 255.255.255.0 ip wccp 62 redirect in ip flow ingress ip flow egress zone-member security out-zone duplex auto speed auto ! interface GigabitEthernet0/1 ip address 172.16.11.1 255.255.255.0 no ip redirects no ip proxy-arp ip wccp 61 redirect in zone-member security in-zone duplex auto speed auto ! interface SM1/0 description WAAS Network Module Device Name dciacbra01c07 ip address 192.168.10.1 255.255.255.0 ip wccp redirect exclude in service-module ip address 192.168.183.46 255.255.255.252 !Application: Restarted at Sat Jan 5 04:47:14 2008 service-module ip default-gateway 192.168.183.45 hold-queue 60 out ! end </pre> <a class="auto_toc_anchor" name="anc15"></a> <h3 id="toc-hId-1254191465">帶內聯裝置的WAAS分支部署</h3> <p>圖中顯示了WAAS分支部署，該部署在ISR前面有一個內聯WAE裝置。由於WAE裝置位於裝置前面，因此Cisco防火牆接收WAAS最佳化資料包，因此客戶端不支援第7層檢測。</p> <p><span class="lia-inline-image-display-wrapper lia-image-align-inline" style="width: 696px;"><img src="/c/dam/en/us/support/docs/security/ios-firewall/200141-IOS-Zone-Based-Firewall-interoperabilit-03.png"></span></p> <p>在WAAS裝置之間運行Cisco IOS®防火牆的路由器只能看到最佳化的流量。ZBF功能監視初始三次握手（TCP選項33和序列號偏移），並自動調整預期的TCP序列視窗（不更改資料包本身的序列號）。它為WAAS最佳化會話應用完整的L4狀態防火牆功能。WAAS透明解決方案便於防火牆按會話實施狀態防火牆和QoS策略。</p> <a class="auto_toc_anchor" name="anc16"></a> <h4 id="toc-hId-1200050441">詳細資料</h4> <ul> <li>Firewall會看到帶有0x21選項的普通TCP SYN資料包，並為它建立會話。由於不涉及WCCP，因此輸入或輸出介面沒有問題。傳回SYN-ACK不是重新導向封包，因此防火牆已注意到該封包。</li> <li>Firewall會檢查SYN-ACK中的0x21選項，並在必要時執行序列號跳轉。如果連線已最佳化，也會關閉L7檢查。</li> <li>可以觀察到，將此方案與Router-1方案區分開的唯一方面是返回流量沒有重新導向。此機箱上沒有2個半連線。</li> </ul> <a class="auto_toc_anchor" name="anc17"></a> <h3 id="toc-hId-444844839">組態</h3> <p>標準ZBF配置，無針對WAAS流量的任何特定區域。僅不支援第7層檢測。</p> <a class="auto_toc_anchor" name="anc18"></a> <h3 id="toc-hId--2107312122">ZBF與WAAS互操作性的限制</h3> <ul> <li>Cisco IOS®防火牆不支援WCCP第2層重新導向方法，它僅支援通用路由封裝(GRE)重新導向。</li> <li>Cisco IOS®防火牆僅支援WCCP重定向。如果WAAS使用基於策略的路由(PBR)來重定向資料包，則此解決方案不能確保互操作性，因此不受支援。</li> <li>Cisco IOS®防火牆不會對WAAS最佳化的TCP會話執行L7檢測。</li> <li>Cisco IOS®防火牆要求<strong>ip inspect waas enable</strong> 和<strong>ip wccp notify</strong> CLI命令才能進行WCCP重定向。</li> <li>目前不支援具備NAT和WAAS-NM互操作性的Cisco IOS®防火牆。</li> <li>Cisco IOS®防火牆WAAS重定向僅適用於TCP資料包。</li> <li>Cisco IOS®防火牆不支援主動/主動拓撲。</li> <li>所有屬於會話的資料包都必須通過Cisco IOS®防火牆盒。</li> </ul> <a class="auto_toc_anchor" name="anc19"></a> <h2 id="toc-hId-1119571278">驗證</h2> <p>目前沒有適用於此組態的驗證程序。</p> <a class="auto_toc_anchor" name="anc20"></a> <h2 id="toc-hId--1432585683">疑難排解</h2> <p>目前尚無適用於此組態的具體疑難排解資訊。</p> <a class="auto_toc_anchor" name="anc21"></a> <h2 id="toc-hId-310224652">相關資訊</h2> <ul> <li><strong><a class="self_link" href="/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/15-mt/sec-data-zbf-15-mt-book/sec-zone-pol-fw.html#GUID-3919A834-5643-4437-BACB-9B5B00E8B776" target="_self" rel="nofollow noopener noreferrer">安全配置指南：基於區域的策略防火牆，Cisco IOS版本15M&T</a></strong></li> <li><strong><a href="/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html" target="_self" rel="nofollow noopener noreferrer">基於區域的策略防火牆設計和應用指南</a></strong></li> <li><strong><a href="https://www.cisco.com/c/zh_tw/support/index.html" target="_self" rel="nofollow noopener noreferrer noopener noreferrer">技術支援與文件 - Cisco Systems</a></strong></li> </ul> </div> </div> <link rel="stylesheet" type="text/css" href="https://www.cisco.com/etc/designs/cdc/transformation/support-responsive.css"> <style type="text/css"> td {border:1px solid black;} table {border:1px solid black;} </style> </div> <cdc:do action="com.cisco.wem.framework.service.command.eotcontent.EOTResponsiveContent@d10e2d3" returnTypedAs="eotResponsiveContainerVo" id="eotResponsiveContainerVo" /> <div class="row full visitedlinks" style="padding: 0px; margin:0px"> <div class="col full" > </div> </div> </div> <script> jQuery(document).ready(function() { if(jQuery('.unpublished').length>0){ var lastRel = "1.0"; if(jQuery('.published').length>0){ lastRel = Number(jQuery('.published td')[0].innerText)+1+".0"; } jQuery('.preview_revision').text(lastRel); } }); </script> <script type="text/javascript"> jQuery(document).ready(function() { if (typeof(cdc) == "undefined") cdc={}; if (typeof(cdc.eot) == "undefined") cdc.eot={}; cdc.eot.isEot = true; cdc.eot.isToc = false; var linkItemsLen=jQuery("#eot-doc-wrapper link[rel='stylesheet']").length; function addNewTocStyleSheet() { let fileName="/etc/designs/cdc/transformation/wemdcmt_responsive.css", $head = jQuery("head"), linkElement = "<link rel='stylesheet' href='"+fileName+"' type='text/css' >"; $head.append(linkElement); } if (cdc.eot.isToc && ! linkItemsLen ) { addNewTocStyleSheet(); } else if(cdc.eot.isEot) { var linkItemsLen=jQuery("#eot-doc-wrapper link[rel='stylesheet']").length; jQuery("#eot-doc-wrapper link[rel='stylesheet']").each(function(){ var linkTag=jQuery(this); var hrefVal=jQuery(linkTag).attr("href"); if(hrefVal!=undefined && hrefVal.indexOf("support-responsive.css")==-1 && hrefVal.indexOf("_responsive.css")==-1){ var fileName=hrefVal.substr(hrefVal.lastIndexOf("/")+1,hrefVal.length).split(".css")[0]; var filePath="/etc/designs/cdc/transformation/"; if(fileName=="ccimr"){ fileName="techdocs_responsive"; }else if(fileName=="support-docs"){ fileName="support-responsive"; }else if(fileName=="framework"){ fileName="responsiveframework"; }else if(fileName=="dcmt"){ fileName="wemdcmt_responsive"; }else if(fileName=="techdocs_85_11_word"){ fileName="techdocs_85_11_word"; if (cdc.eot.isToc) { addNewTocStyleSheet(); } }else{ fileName+="_responsive"; } jQuery(linkTag).attr("href",filePath+fileName+".css"); } if(hrefVal.indexOf("support-responsive.css")>-1){ jQuery(linkTag).attr("href","/etc/designs/cdc/transformation/support-responsive.css"); } }); jQuery("#eot-doc-wrapper > table").wrap("<div></div>"); //jQuery("#eot-doc-wrapper table").parent().attr("style","overflow-x:auto !important"); jQuery("#eot-doc-wrapper table:not('.olh_note')").parent().css({overflowX:"auto"});// commented above line coz its overriding existing inline styles } }); </script> </div>  <div class="col narrow-v2" > <div class="rightRailComponent base-blowout"> <div class="eotPersonalization"> <section id="eotSupportCampaign"></section> </div>   <div> <div class="tac-image"> <img class="eot-istac" src="/etc/designs/cdc/fw/i/TAC_lg-icon.png" alt="TAC Authored"/> </div> </div> <div class="showComponent"> <div class="eot-authors"> <h3 class="eot-authors-heading">由思科工程師貢獻</h3> <ul> <li><div class="eot-authors-name">Prashant Joshi</div><div class="eot-authors-org">Cisco TAC工程師</div></li> <li><div class="eot-authors-name">Namit Agarwal</div><div class="eot-authors-org">Cisco TAC工程師</div></li> <li><div class="eot-authors-name">Dinkar Sharma</div><div class="eot-authors-org">Cisco TAC工程師</div></li> </ul> </div> </div>  <div class="eot-feedback-container"> <div class="eot-feedback"> <h3>這份文件是否有所幫助？</h3> <span class="eot-feedback-btnwrap"> <button class="eot-feedback-btn eot-feedback-btn-yes" aria-label="這份文件是否有所幫助？? 是">是</button> <button class="eot-feedback-btn eot-feedback-btn-no" aria-label="這份文件是否有所幫助？? 否">否</button> </span> <span lang="zh" class="eot-feedback-olwrap"> <a href="javascript: void(0)" class="eot-feedback-ol" onclick="window.open('https://ciscocx.qualtrics.com/jfe/form/SV_dpqK8gJRAW2GHCC?Ref=' + location.href + '&resize=false', 'feedback', 'width=650, height=460, scrollbars=1, menubar=1, resizable=1'); return false;"> <img id="feedback_img" border="0" style="cursor: pointer;" title="Feedback" src="//www.cisco.com/c/dam/cdc/i/Feedback_OceanBlue.png" alt="Feedback">意見</a> </span> </div> </div> <div class="showComponent"> <div class="eot-vav"> <ul> </ul> </div> </div> <div class="showComponent"> <div class="eotLetUsHelp"> <h3>讓思科協助您</h3> <ul> <li><a id="eotLetUsHelpProdDocUrl" href="https://mycase.cloudapps.cisco.com/start?prodDocUrl=">開啟支援問題單</a><img src="/etc/designs/cdc/fw/i/icon_lock_small.png" alt="login required"/></li> <li>(需有<a href="//www.cisco.com/c/zh_tw/services/order-services.html">思科服務合約</a>)</li> </ul> </div> <script> jQuery(document).ready(function() { var getURL=jQuery("#eotLetUsHelpProdDocUrl").attr("href"), domInd = location.href.indexOf('cisco.com') ; if ( domInd > -1 && domInd < location.href.search(/\w\/\w/) ) { getURL += encodeURI(location.href); } jQuery("#eotLetUsHelpProdDocUrl").attr("href",getURL); }); </script> </div>  <div id="eotRightRailMBox">  <div> <div class="mboxDefault"></div> <script type="text/javascript"> var test=""; if(test!=undefined && test.trim().length>0){ mboxCreate('zh-tw_dg_support_eot','type=default',''); }else{ mboxCreate('zh-tw_dg_support_eot','type=default'); } </script> </div> </div> <div class="showComponent"> <div class="eot-tdatp"> <h3>本文件適用於這些產品</h3> <ul class="eot-tdatp-list"> <li><a href="/c/zh_tw/support/security/ios-firewall/series.html">IOS Firewall</a></li> <li><a href="/c/zh_tw/support/routers/wide-area-application-services-waas-software/series.html">Wide Area Application Services (WAAS) Software</a></li> </ul> </div> </div> <div class="showClass"> </div> </div> </div> </div>   </div> <script type="module" src="/site/web-components/tw/zh/cdc-footer.js"></script> <cdc-footer></cdc-footer> <script type="text/javascript"> if(document.querySelector('#privacy-manager')!=null){ document.querySelector('#privacy-manager').href='#cookies'; } </script> <div id="fw-overlay"></div> <script src="/etc/designs/cdc/clientlibs/responsive/js/responsive.min.js"></script> <script src="/etc/designs/cdc/fw/j/theater_frag/link_indicator.js"></script> <script src="/etc/designs/cdc/fw/m/eot_metricsrule.js" type="text/javascript"></script> <script src="/etc/designs/cdc/fw/lib/jqmodal.js" type="text/javascript"></script>  <noscript><img src="//cisco.112.2o7.net/b/ss/cisco-mobile/5/12345" width="2" height="2" border="0" alt=""/></noscript> </body> </html>

CINXE.COM

配置與WAAS部署的Cisco IOS基於區域的防火牆互操作性 - Cisco