06-13-2018 09:29 PM - edited 03-11-2019 01:41 AM
Hi:Team:
Is there a way to use a sgt represent ip address is any ?
After customer deployed the sda fabric , some acl just like deny ip 172.30.0.0 0.0.255.255 any can not change to sgacl
How we can use sgacl replace transitional acl which one the source or destination address is any ?
Thank you very much!
Solved! Go to Solution.
12-24-2018 04:42 AM
Was just going through the community questions and noticed this was answered.
Sorry for the delay.
You're right, there's no such thing as ANY for SGACLs.
If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.
Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.
12-24-2018 04:42 AM
Was just going through the community questions and noticed this was answered.
Sorry for the delay.
You're right, there's no such thing as ANY for SGACLs.
If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.
Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide