10-01-2015 09:50 AM - edited 03-11-2019 11:40 PM
Hey All,
Was going to deploy reflexive ACLs on some campus distribution switches last night and found out they aren't an option on 4500r+e switches or ISR 4321 routers. Anyone have any recommendations on alternative options? The reflexive ACLs would be applied on the VLAN interfaces and would restrict inbound traffic to only specific destinations (untrusted to trusted) and all outbound traffic (trusted to untrusted) would be permitted through the reflect. From what I can tell there doesn't seem to be any options besides just having an extended ACL but that would require opening up alot of unnecessary access initiated from the untrusted side.
Brian
Solved! Go to Solution.
10-01-2015 12:15 PM
The ISRs should run ZBFW (Zone Based Firewall) presuming you have the right software bundle.
You won't be able to do anything with the 4500s in that regard except router acls which are not stateful.
Jon
10-01-2015 12:15 PM
The ISRs should run ZBFW (Zone Based Firewall) presuming you have the right software bundle.
You won't be able to do anything with the 4500s in that regard except router acls which are not stateful.
Jon
10-01-2015 12:15 PM
That's what I figured - thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide