Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
6
Replies

DMZ question

m.saunders
Level 1
Level 1

‎08-20-2012 10:56 AM - edited ‎03-11-2019 04:44 PM

                   Am I able to apply an ACL within the same DMZ to prevent one host from talking to another............in that same DMZ.

DMZ X:

172.17.1.1 is allowed to talk to the internet and to internal hosts BUT,

Denied from talking to 172.17.3.3 which is on the same DMZ

Can I just do a:

permit ip host 172.17.1.1 any port whatever

deny ip host 172.17.1.1 host 172.17.3.3

Thanks

Labels:
0 Helpful
6 Replies 6

Derron Carstensen
Level 1
Level 1

‎08-20-2012 12:20 PM

In theory no...

The reason being if the destination resides in the same layer three boundary (same subnet) then the source will do an ARP request and find the destinations MAC.  From there the source node will send the data directly to the destination's MAC.

There is no man in the middle (firewall) to filter this traffic.  If you were routing between networks and the firewall was in the middle it would work.

0 Helpful

m.saunders
Level 1
Level 1
In response to Derron Carstensen

‎08-20-2012 12:27 PM

So if we put both devices in 2 different DMZ's we can then apply ACL's around them and protect them from one another?  Do they have to be in different subnets as well?

0 Helpful

Derron Carstensen
Level 1
Level 1
In response to m.saunders

‎08-20-2012 12:33 PM

Yes if you place them in two different DMZs (which would also be different subnets) then you can use ACLs on the firewall to allow/block specific traffic.

0 Helpful

m.saunders
Level 1
Level 1
In response to Derron Carstensen

‎08-20-2012 12:38 PM

Thanks

0 Helpful

Ramraj Sivagnanam Sivajanam
Level 4
Level 4

‎08-20-2012 08:01 PM

Hi Bro

You can't deny network traffic when the source and destination are in the same network address. However, if you still want to block access between these 2 devices (assuming both these devices are physically connected to the same Cisco L2 switches), you'll need to configure Private VLAN, on those switchports. This will work like a charm.

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam
0 Helpful

m.saunders
Level 1
Level 1
In response to Ramraj Sivagnanam Sivajanam

‎08-21-2012 05:18 AM

I'm not a bro but thank you for the response!!  LOL  This helps in my configuration.

Michelle

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card