Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
3
Replies

same security level rules

Go to solution
suthomas1
Level 6
Level 6

‎06-21-2009 07:54 AM - edited ‎03-11-2019 08:46 AM

Hi,

I came across some interface on our firewall with same security level & also ACE corresponding to each of these interfaces.

I also found that "same security level command" has been enabled on the firewall.

Question:

If 2 interfaces with same level say 50 need to pass traffic between each other, do they still require rules with above command enabled?

If i remove the rules and test the traffic , would it allow traffic between these interfaces based on above command?

Please suggest.Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Patrick0711
Level 3
Level 3

‎06-22-2009 11:19 AM

Without the command enabled, traffic WILL NOT pass between two segments with identical security levels even if access-lists are configured.

With the command enabled, traffic WILL pass between the segments but must be permitted via an access-list.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Patrick0711
Level 3
Level 3

‎06-21-2009 05:09 PM

If the interfaces are configured with identical security levels, you have the "same-security-traffic permit inter-interface" command enabled, and you are running 7.2 or later code, you'll need to have specific rules to pass traffic in each direction between the segments.

0 Helpful

Go to solution
suthomas1
Level 6
Level 6
In response to Patrick0711

‎06-21-2009 11:29 PM

that means even with this command, rules still have to be there.

Then what purpose does this command serve?

Thanks.

0 Helpful

Go to solution
Patrick0711
Level 3
Level 3

‎06-22-2009 11:19 AM

Without the command enabled, traffic WILL NOT pass between two segments with identical security levels even if access-lists are configured.

With the command enabled, traffic WILL pass between the segments but must be permitted via an access-list.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card