Buy or Renew
Buy or Renew
Cisco Community present at Cisco Live EMEA 2023. See you in Amsterdam! Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
174
Views
0
Helpful
1
Replies

Number of ACL on FTD security zone with multiple interfaces

Go to solution
a12288
Participant
Participant

‎12-06-2022 01:48 PM

We have a DMZ security zone on FTD and it has multiple VLANs / sub-interfaces, I found out every ACP created actually are duplicated to all VLANs / sub-interfaces, for example, my intention is:
Source -> DMZ -> VLAN-A/Sub-Interface-A -> App-A
Source -> DMZ -> VLAN-B/Sub-Interface-B -> App-B
Source -> DMZ -> VLAN-C/Sub-Interface-C -> App-C

But the show access-list CLI reveals it actually like this
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C ->  App-A
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-B
Source -> DMZ -> VLAN-A/Sub-Interface-A + VLAN-B/Sub-Interface-B + VLAN-C/Sub-Interface-C -> App-C

As a result of this multiplication, the number of ACL is quite large. Is this the expected behavior or something I can adjust to avoid this? Thanks.

 

Leo

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
manabans
Cisco Employee
Cisco Employee

‎12-06-2022 07:19 PM

A Security Zone is used to create the rules for the Access Control Policy, so this behavior is expected. Regardless of which interfaces are included in the security zone, the ACL will be expanded accordingly.

In order to prevent unwanted ACL expansion, you should create separate security zones for each interface and reference them in an ACL rule.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
manabans
Cisco Employee
Cisco Employee

‎12-06-2022 07:19 PM

A Security Zone is used to create the rules for the Access Control Policy, so this behavior is expected. Regardless of which interfaces are included in the security zone, the ACL will be expanded accordingly.

In order to prevent unwanted ACL expansion, you should create separate security zones for each interface and reference them in an ACL rule.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents