06-13-2018 09:29 PM - edited 03-11-2019 01:41 AM
Hi:Team:
Is there a way to use a sgt represent ip address is any ?
After customer deployed the sda fabric , some acl just like deny ip 172.30.0.0 0.0.255.255 any can not change to sgacl
How we can use sgacl replace transitional acl which one the source or destination address is any ?
Thank you very much!
Solved! Go to Solution.
12-24-2018 04:42 AM
Was just going through the community questions and noticed this was answered.
Sorry for the delay.
You're right, there's no such thing as ANY for SGACLs.
If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.
Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.
12-24-2018 04:42 AM
Was just going through the community questions and noticed this was answered.
Sorry for the delay.
You're right, there's no such thing as ANY for SGACLs.
If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.
Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: