I have following situation. One PC from specific VLAN in HQ needs access to devices on 200 locations which are on non-contiguous network (so I can't use network summarization in ACL). Also, that PC use many different ports to access that devices, so I can't use TCP port restrictions in ACL either. But, all devices that are on locations are marked with DSCP AF41 when traffic is destined to that PC in HQ, so my idea is to restrict traffic using ACL with DSCP. Goal is that all devices on locations are limited to communicate only with PC in HQ, and PC in HQ needs to be limited to communicate only with devices on remote locations. I need to restrict that PC to access other VLANs on the same ML switch, other networks on HQ, etc.
So, to make this clearer, here is network and ACL:
Remote location's device IP: 10.1.1.1
policy-map MARKING class RESTRICT set dscp af41
class-map match-any RESTRICT match access-group name QoS-restrict
ip access-list extended QoS-restrict permit ip any host 10.2.2.2
ip access-group restrict-in out
ip access list extended restrict-in
10 permit ip any host 10.2.2.2 dscp af41
20 deny ip any any
With this configuration access to VLAN90 from other VLANs on multilayer switch is impossible, and access from 10.1.1.1 is successful, so this part is ok. But, when I initiate traffic from VLAN90 to, ie, some address on VLAN10 on ML switch it is ALLOWED. I am 100% sure that that initiated traffic does not have any DSCP values. Why ACL does not block incoming traffic without AF41 coming to VLAN? If answer is "but that traffic is initiated from VLAN90 and ACL treats that traffic as 'established' so it is permitted", how can I solve this?
Sorry for long post, but I am just tried to clarify issue as much as possible.
Starting from NFVIS 3.12 versions, the deploy option does not depict all the SR-IOV VFs(Virtual Functions) available in a physical interface. This change is introduced as (i) the number of VFs of ENCS platform on LANs side is increased to 24 and (ii) the...
Community Live- Getting to know Cisco SD-WAN
(Live event - formerly known as Webcast- Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event will have place on Wednesday 11th, December 2019 at 10hrs PDT
Hi alli have 40 spots (40 Ethernet cables for computers coming out from switch) and i want each of these spots to have fix IP which means if i swap the computer the IP of certain spot remain the same.example : at spot 30 i have IP address of 192.168.22.40...
Cisco DNA Center nodes lost network connectivity. Cannot SSH to nodes. Cluster and Enterprise port connected to Cisco Nexus Switches.
Cisco DNA Center kernel logs showing hung queue error messages. "sudo cat /var/log/kern.log"
Cisco Digital Network Architecture Center Modules(Design Module)Wireless Part.In this article, we are going to talk about Cisco Digital Network Architecture Center design Module, Wireless Part.Cisco DNA Center gives us the flexibility and scalability to c...