Solved: How to define a SGT for address is any?

huichen2 · ‎06-13-2018

Hi:Team:

Is there a way to use a sgt represent ip address is any ?

After customer deployed the sda fabric , some acl just like deny ip 172.30.0.0 0.0.255.255 any can not change to sgacl

How we can use sgacl replace transitional acl which one the source or destination address is any ?

Thank you very much!

jeaves@cisco.com · ‎12-24-2018

Was just going through the community questions and noticed this was answered.

Sorry for the delay.

You're right, there's no such thing as ANY for SGACLs.

If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.

Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.

View solution in original post

jeaves@cisco.com · ‎12-24-2018

Was just going through the community questions and noticed this was answered.

Sorry for the delay.

You're right, there's no such thing as ANY for SGACLs.

If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.

Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.