Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
509
Views
2
Helpful
4
Replies

Is an inverse access list configuration possible?

jeff20
Level 1
Level 1

‎01-29-2024 11:49 AM

I'm working on a Nexus 9000 whose purpose is to redirect traffic to a web content filtering system with ITD.  There is an access list that works to match traffic with specific sources and destinations and sets a next hop ip address in the route map which sends traffic to the web filter. 

However, I don't want to specify all the traffic that I do want to be re-directed and filtered.  I'd like to specify the sources and destinations that I don't want to be re-directed with the next hop.  Is it possible to turn this logic around, to re-direct all traffic except what's specified in the access list?  Thanks for any ideas.

Labels:
0 Helpful
4 Replies 4

Torbjørn
Spotlight
Spotlight

‎01-29-2024 01:23 PM

You can achieve this by creating a "permit Ip any any" catch-all entry in the bottom of your access list and create specific deny entries for all traffic you don't want to be redirected above your catch-all. 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

jeff20
Level 1
Level 1
In response to Torbjørn

‎01-29-2024 03:02 PM

Thank you. I did try something like that, but the deny doesn't seem to have any effect. If I have the catch-all at the bottom, the traffic still gets re-directed.

ip access-list iboss_LAN
15 deny ip 10.110.19.3/32 164.104.1.0/24
20 permit ip 10.110.19.3/32 104.17.17.87/32
25 permit ip 10.110.19.3/32 204.79.197.200/32
30 permit ip 10.110.19.3/32 104.17.18.87/32
35 permit ip 10.110.19.3/32 146.75.95.5/32
40 permit ip 10.110.19.3/32 108.156.201.0/24
45 permit ip 10.110.19.3/32 216.239.38.120/32
50 permit ip 10.110.19.3/32 any

0 Helpful

paul driver
VIP
VIP
In response to jeff20

‎01-30-2024 07:48 PM

Hello
You can always use a deny stanza to deny any specific traffic and then allow all other traffic to be policy routed

Example:
ip access-list extended iboss_LAN
permit ip 10.110.19.3/32 164.104.1.0/24

route-map PBR deny 5
match ip address iboss_LAN

route-map PBR permit 99
set ip next-hop x.x.x.x


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jeff20
Level 1
Level 1

‎01-31-2024 07:25 AM

Thanks for the suggestions, makes sense.  In this case, my problem was that the exclude access list I wanted needed to be configured within the ITD service.  I was trying to divert traffic in a more traditional way, but apparently ITD builds the route maps based on the ACL that are part of the ITD configuration.  Thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card