ER605 ACLs not working as expected in standalone
I have two networks/subnets, network1 and network2.
If I create two ACLs:
- A LAN-LAN rule which blocks traffic from network2 to !network2
- An ALL rule that allows traffic from IP2 on network2 to an IP1 on network1 using IP Groups
The allow rule is above the block rule on the list.
In this case, traffic does not flow from IP2 to IP1 and back.
However, if I add the reflexive rule to allow traffic from IP1 to IP2, it works. However, why would that be needed? I don't have an ACL which blocks *any* traffic from network1 to network2. If ALL traffic is already allowed, why would a need an allow rule for one IP explicitly?
In this case, the switches are all layer 2 managed switches. The routing and ACLs are being applied by the ER605 only.