IOS zone-based firewalls (ZBFW) are a feature that provides stateful firewall policies between groups

of interfaces known as zones. A zone is a logical grouping of one or more interfaces that have similar

security requirements. A zone can be applied to physical interfaces, subinterfaces, port channels,

VLAN interfaces, or tunnel interfaces. However, an interface can be assigned only to one zone, and it

cannot be shared between zones. This is because the ZBFW policy is applied between zones, not

interfaces, and it controls the bidirectional traffic flow between them. Therefore, an interface can

belong to only one zone at a time, and it must be removed from one zone before it can be added to

another zone. This ensures that the firewall policy is consistent and unambiguous for each interface.

Reference :=

Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Gibraltar 16.12.x, Configuring

Zones

Understand the Zone-Based Policy Firewall Design, Zone-Based Policy Overview

IOS Zone Based Firewall Step-by-Step Basic Configuration, Zone Based Firewall Vs CBAC