same security level rules

Answered Question
Jun 21st, 2009
User Badges:

Hi,


I came across some interface on our firewall with same security level & also ACE corresponding to each of these interfaces.

I also found that "same security level command" has been enabled on the firewall.

Question:

If 2 interfaces with same level say 50 need to pass traffic between each other, do they still require rules with above command enabled?

If i remove the rules and test the traffic , would it allow traffic between these interfaces based on above command?

Please suggest.Thanks.


Correct Answer by Patrick0711 about 8 years 1 month ago

Without the command enabled, traffic WILL NOT pass between two segments with identical security levels even if access-lists are configured.


With the command enabled, traffic WILL pass between the segments but must be permitted via an access-list.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Patrick0711 Sun, 06/21/2009 - 17:09
User Badges:
  • Bronze, 100 points or more

If the interfaces are configured with identical security levels, you have the "same-security-traffic permit inter-interface" command enabled, and you are running 7.2 or later code, you'll need to have specific rules to pass traffic in each direction between the segments.



suthomas1 Sun, 06/21/2009 - 23:29
User Badges:

that means even with this command, rules still have to be there.

Then what purpose does this command serve?


Thanks.

Correct Answer
Patrick0711 Mon, 06/22/2009 - 11:19
User Badges:
  • Bronze, 100 points or more

Without the command enabled, traffic WILL NOT pass between two segments with identical security levels even if access-lists are configured.


With the command enabled, traffic WILL pass between the segments but must be permitted via an access-list.



Actions

This Discussion