https://community.cisco.com/t5/network-security/dmz-question/m-p/2026282#M439192 <HTML><HEAD></HEAD><BODY><P>In theory no...</P><P></P><P>The reason being if the destination resides in the same layer three boundary (same subnet) then the source will do an ARP request and find the destinations MAC.&nbsp; From there the source node will send the data directly to the destination's MAC.</P><P></P><P>There is no man in the middle (firewall) to filter this traffic.&nbsp; If you were routing between networks and the firewall was in the middle it would work.</P></BODY></HTML> Mon, 20 Aug 2012 19:20:21 GMT Derron Carstensen 2012-08-20T19:20:21Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026281#M439191 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Am I able to apply an ACL within the same DMZ to prevent one host from talking to another............in that same DMZ.</P><P></P><P>DMZ X:</P><P></P><P>172.17.1.1 is allowed to talk to the internet and to internal hosts BUT,</P><P>Denied from talking to 172.17.3.3 which is on the same DMZ</P><P></P><P>Can I just do a:</P><P></P><P>permit ip host 172.17.1.1 any port whatever</P><P>deny ip host 172.17.1.1 host 172.17.3.3</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 23:44:02 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026281#M439191 m.saunders 2019-03-11T23:44:02Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026282#M439192 <HTML><HEAD></HEAD><BODY><P>In theory no...</P><P></P><P>The reason being if the destination resides in the same layer three boundary (same subnet) then the source will do an ARP request and find the destinations MAC.&nbsp; From there the source node will send the data directly to the destination's MAC.</P><P></P><P>There is no man in the middle (firewall) to filter this traffic.&nbsp; If you were routing between networks and the firewall was in the middle it would work.</P></BODY></HTML> Mon, 20 Aug 2012 19:20:21 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026282#M439192 Derron Carstensen 2012-08-20T19:20:21Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026283#M439193 <HTML><HEAD></HEAD><BODY><P> So if we put both devices in 2 different DMZ's we can then apply ACL's around them and protect them from one another?&nbsp; Do they have to be in different subnets as well?</P></BODY></HTML> Mon, 20 Aug 2012 19:27:22 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026283#M439193 m.saunders 2012-08-20T19:27:22Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026284#M439194 <HTML><HEAD></HEAD><BODY><P>Yes if you place them in two different DMZs (which would also be different subnets) then you can use ACLs on the firewall to allow/block specific traffic.</P></BODY></HTML> Mon, 20 Aug 2012 19:33:15 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026284#M439194 Derron Carstensen 2012-08-20T19:33:15Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026285#M439195 <HTML><HEAD></HEAD><BODY><P> Thanks</P></BODY></HTML> Mon, 20 Aug 2012 19:38:53 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026285#M439195 m.saunders 2012-08-20T19:38:53Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026286#M439196 <HTML><HEAD></HEAD><BODY><P>Hi Bro</P><P>You can't deny network traffic when the source and destination are in the same network address. However, if you still want to block access between these 2 devices (assuming both these devices are physically connected to the same Cisco L2 switches), you'll need to configure <STRONG>Private VLAN</STRONG>, on those switchports. This will work like a charm.</P><P></P><P><A href="http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html">http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html</A></P><P></P><P></P><P></P><P></P><P style="text-align: justify;"><STRONG>P/S: If you think this comment is useful, please do rate them nicely <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></STRONG></P></BODY></HTML> Tue, 21 Aug 2012 03:01:12 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026286#M439196 Ramraj Sivagnanam Sivajanam 2012-08-21T03:01:12Z https://community.cisco.com/t5/network-security/dmz-question/m-p/2026287#M439197 <HTML><HEAD></HEAD><BODY><P>I'm not a bro but thank you for the response!!&nbsp; LOL&nbsp; This helps in my configuration.</P><P></P><P>Michelle</P></BODY></HTML> Tue, 21 Aug 2012 12:18:13 GMT https://community.cisco.com/t5/network-security/dmz-question/m-p/2026287#M439197 m.saunders 2012-08-21T12:18:13Z