Hello! I have 2 vlan interfaces with both CBAC (inspect) ACLs.
I noticed that in that case the 2nd CBAC ACL (on the outgoing interface) is not being processed, even if it would reject the packet. It is working if traffic goes from an incoming interface without an inspect rule. The ACL on the out interface is being processed in that case. Is that intended behavior, so if one inspect temporary rule exist, the second ACL is bypassed? In case I would like to have inspect rules on both interfaces for traffic to the internet and to have firewalls between the VLANs, what is the preferred way to handle this? interface Vlan5 ipv6 inspect spi-fw-vlan5 in ipv6 traffic-filter vlan5-acl-out out interface Vlan30 ipv6 inspect spi-fw-vlan30 in ipv6 traffic-filter vlan30-acl-out out Both lists have a deny ipv6 any any at the end and the rejects are being logged. If I now try to connect from a machine in VLAN 5 to a machine in 30 to a destination address/port that is should be rejected by vlan30-acl-out, the traffic goes through. If I try to do that from VLAN2 (no ACL attached), the ACL vlan30-acl-out is being processed and the packet will be rejected. -- kind regards Marco Send unsolicited bulk mail to [email protected]
pgp5ZvVOo9TpX.pgp
Description: Digitale Signatur von OpenPGP
_______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
