07-15-2024 02:50 AM
Dear All,
I have multiple vlans in my core switch along with VLAN A in my Core switch and only this vlan A is extended to a DMZ downstream switch. VRF is created for that VLAN A in downstream dmz switch and route is pointed to VLAN A;s SVI of core switch.
Now I can ping VLAN A interface on the DMZ switch and vice versa and all the vlans in core switch from DMZ is also pingable. My requirement is I want to restrict this so that VLAN A in DMZ shouldn't ping or access any of the networks in core switch but networks in core switch should access VLAN A.
Kindly let me know any suggestions for this through ACL.
07-15-2024 04:37 AM
It hard to do this without FW' but I will give you some point
The traffic is mostly classify into three main categories
1- tcp
2- udp
3- icmp
So to allow one side access to other side and prevent reverse connection we use
Allow any any from side A to side B
We allow traffic from side B to side A but with conditions
1- for tcp we use established keywords in ACL
2- for icmp we use echo-reply
3- for udp' here mostly serve use udp like dhcp dns ...etc. so we allow traffic only for specific udp port (port server use)
That all
Thanks
MHM
07-15-2024 11:03 AM
As @MHM Cisco World said, you really need to do this with a firewall.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide