Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

same security level rules

Hi,

I came across some interface on our firewall with same security level & also ACE corresponding to each of these interfaces.

I also found that "same security level command" has been enabled on the firewall.

Question:

If 2 interfaces with same level say 50 need to pass traffic between each other, do they still require rules with above command enabled?

If i remove the rules and test the traffic , would it allow traffic between these interfaces based on above command?

Please suggest.Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: same security level rules

Without the command enabled, traffic WILL NOT pass between two segments with identical security levels even if access-lists are configured.

With the command enabled, traffic WILL pass between the segments but must be permitted via an access-list.

3 REPLIES
Bronze

Re: same security level rules

If the interfaces are configured with identical security levels, you have the "same-security-traffic permit inter-interface" command enabled, and you are running 7.2 or later code, you'll need to have specific rules to pass traffic in each direction between the segments.

Community Member

Re: same security level rules

that means even with this command, rules still have to be there.

Then what purpose does this command serve?

Thanks.

Bronze

Re: same security level rules

Without the command enabled, traffic WILL NOT pass between two segments with identical security levels even if access-lists are configured.

With the command enabled, traffic WILL pass between the segments but must be permitted via an access-list.

137
Views
0
Helpful
3
Replies
CreatePlease to create content