08-20-2012 10:56 AM - edited 03-11-2019 04:44 PM
Am I able to apply an ACL within the same DMZ to prevent one host from talking to another............in that same DMZ.
DMZ X:
172.17.1.1 is allowed to talk to the internet and to internal hosts BUT,
Denied from talking to 172.17.3.3 which is on the same DMZ
Can I just do a:
permit ip host 172.17.1.1 any port whatever
deny ip host 172.17.1.1 host 172.17.3.3
Thanks
08-20-2012 12:20 PM
In theory no...
The reason being if the destination resides in the same layer three boundary (same subnet) then the source will do an ARP request and find the destinations MAC. From there the source node will send the data directly to the destination's MAC.
There is no man in the middle (firewall) to filter this traffic. If you were routing between networks and the firewall was in the middle it would work.
08-20-2012 12:27 PM
So if we put both devices in 2 different DMZ's we can then apply ACL's around them and protect them from one another? Do they have to be in different subnets as well?
08-20-2012 12:33 PM
Yes if you place them in two different DMZs (which would also be different subnets) then you can use ACLs on the firewall to allow/block specific traffic.
08-20-2012 12:38 PM
Thanks
08-20-2012 08:01 PM
Hi Bro
You can't deny network traffic when the source and destination are in the same network address. However, if you still want to block access between these 2 devices (assuming both these devices are physically connected to the same Cisco L2 switches), you'll need to configure Private VLAN, on those switchports. This will work like a charm.
http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html
P/S: If you think this comment is useful, please do rate them nicely :-)
08-21-2012 05:18 AM
I'm not a bro but thank you for the response!! LOL This helps in my configuration.
Michelle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide