cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3191
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

How to define a SGT for address is any?

Hi:Team:

Is there a way to  use a  sgt  represent ip address is any ?

After customer deployed the sda fabric , some acl just like  deny   ip 172.30.0.0 0.0.255.255 any  can not change to sgacl

How we can use sgacl replace transitional  acl which one the source or destination address is any ?

Thank you very much!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: How to define a SGT for address is any?

Was just going through the community questions and noticed this was answered.

Sorry for the delay.

You're right, there's no such thing as ANY for SGACLs.

If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.

Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.

View solution in original post

1 REPLY 1
Highlighted
Cisco Employee

Re: How to define a SGT for address is any?

Was just going through the community questions and noticed this was answered.

Sorry for the delay.

You're right, there's no such thing as ANY for SGACLs.

If the ACL using ANY is on an interface then you can determine what subnet(s) are on that interface in order to perhaps use a Subnet:SGT mapping instead.

Remember that in your example above, the IP will be in a group. So what you want is a policy from SGT X to any other group (permit or deny as appropriate). You then complete your policies between all groups making use of a default deny or default permit, whichever allows less entries to be entered. Remember you can use the 'Unknown' group for sources or destinations that are not classified into groups.

View solution in original post