03-28-2013 07:05 AM - edited 03-11-2019 06:21 PM
Hey guys I have a very basic question, as much as I know about Firewalls. This matter escapes, can someone explain to me what does the security levels mean on the interface and could have the same security level on two different interfaces that facing the internet?
Please advise and thank you
Matt
Solved! Go to Solution.
03-28-2013 07:17 AM
Hello Matthew,
The security level protects higher security networks from lower security networks by imposing additional protection between the two.
The level controls the following behavior:
•Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, you need to add the same-security-traffic inter-interface. You might want to assign two interfaces to the same level and allow protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.
I hope it helps.
Regards,
Juan Lombana
Please rate helpful posts.
03-28-2013 07:17 AM
Hello Matthew,
The security level protects higher security networks from lower security networks by imposing additional protection between the two.
The level controls the following behavior:
•Network access—By default, there is an implicit permit from a higher security interface to a lower security interface (outbound). Hosts on the higher security interface can access any host on a lower security interface. You can limit access by applying an access list to the interface.
Normally, interfaces on the same security level cannot communicate. If you want interfaces on the same security level to communicate, you need to add the same-security-traffic inter-interface. You might want to assign two interfaces to the same level and allow protection features to be applied equally for traffic between two interfaces; for example, you have two departments that are equally secure.
I hope it helps.
Regards,
Juan Lombana
Please rate helpful posts.
03-28-2013 08:42 AM
Perfect answer!!! Thank you
03-28-2013 08:45 AM
Your welcome!!!!
Please rate helpful posts.
03-29-2013 11:54 AM
In practice, most interesting firewall designs end up putting access-lists on all the interfaces, at which point the security levels are moot. The primary effect of Cisco security-level concept is that an out of the box vanilla configuration with just an inside and an outside network will more or less work: the firewall will block unsolicited inbound traffic, allow outbound traffic, and allow reply packets for existing connections in.
-- Jim Leinweber, WI State Lab of Hygiene
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide