Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DMZ question

                   Am I able to apply an ACL within the same DMZ to prevent one host from talking to another............in that same DMZ.

DMZ X:

172.17.1.1 is allowed to talk to the internet and to internal hosts BUT,

Denied from talking to 172.17.3.3 which is on the same DMZ

Can I just do a:

permit ip host 172.17.1.1 any port whatever

deny ip host 172.17.1.1 host 172.17.3.3

Thanks

  • Firewalling
Everyone's tags (1)
6 REPLIES
New Member

DMZ question

In theory no...

The reason being if the destination resides in the same layer three boundary (same subnet) then the source will do an ARP request and find the destinations MAC.  From there the source node will send the data directly to the destination's MAC.

There is no man in the middle (firewall) to filter this traffic.  If you were routing between networks and the firewall was in the middle it would work.

New Member

DMZ question

So if we put both devices in 2 different DMZ's we can then apply ACL's around them and protect them from one another?  Do they have to be in different subnets as well?

New Member

DMZ question

Yes if you place them in two different DMZs (which would also be different subnets) then you can use ACLs on the firewall to allow/block specific traffic.

New Member

DMZ question

Thanks

DMZ question

Hi Bro

You can't deny network traffic when the source and destination are in the same network address. However, if you still want to block access between these 2 devices (assuming both these devices are physically connected to the same Cisco L2 switches), you'll need to configure Private VLAN, on those switchports. This will work like a charm.

http://www.cisco.com/en/US/tech/tk389/tk814/tk840/tsd_technology_support_sub-protocol_home.html

P/S: If you think this comment is useful, please do rate them nicely :-)

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
New Member

DMZ question

I'm not a bro but thank you for the response!!  LOL  This helps in my configuration.

Michelle

309
Views
0
Helpful
6
Replies