cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2560
Views
5
Helpful
1
Replies

Disable inter-VLAN routing

kreminator
Level 1
Level 1

I got an ASA 5506-X (9.8) with separate vlans behind it on an L2 cisco switch. The ASA is strictly only for providing Internet access with NAT. I want to make sure that there is no routing between the vlan subinterfaces, but still provide access to the ASA from a couple of vlans for management. The interfaces are given the same security level since all vlans are to be treated the same.

 

Since this is firewall, I believe it restricts inter-vlan routing by default, but I will of course have to test it thoroughly. Any recommendations for best practice here? I should probably set up some ACL rules to explicitly deny traffing from passing through, but allowing management from some vlans? Then again I guess I can just remove lines like same-security-traffic permit inter-interface from the config and it will be denied by default, given no ACLs exist.

1 Accepted Solution

Accepted Solutions

Sergey Lisitsin
VIP Alumni
VIP Alumni

kreminator,

 

You are correct. By default traffic is only permitted from higher security interfaces to pass to the lower security interfaces if no ACLs are configured. Then the return traffic passage depends on the default inspection policy. If you have two same security level interfaces and the command "same-security permit inter-interface" is not present, traffic between same security level interfaces is also not permitted.

View solution in original post

1 Reply 1

Sergey Lisitsin
VIP Alumni
VIP Alumni

kreminator,

 

You are correct. By default traffic is only permitted from higher security interfaces to pass to the lower security interfaces if no ACLs are configured. Then the return traffic passage depends on the default inspection policy. If you have two same security level interfaces and the command "same-security permit inter-interface" is not present, traffic between same security level interfaces is also not permitted.

Review Cisco Networking for a $25 gift card