cancel
Showing results for 
Search instead for 
Did you mean: 

ACL or policy

ACL or policy

Giuseppe_Montan
Contributor

entry TestACL { if match all {
    source-address 192.168.1.0/24 ;
    destination-address 192.168.170.0/24 ;
} then {
    deny  ;
} }


The customer configure this ACL on XOS, he ask me if is possible to replicate on XMC ?

Thanks

Giuseppe

1 ACCEPTED SOLUTION

Tomasz
Valued Contributor II

Hi Giuseppe,

 

A policy using Policy feature in XMC could be done but it might be a bit of clicking depending on how many local VLANs you have. You could try to use an automated service for this (deny a resource which is a set of L3 locations and provide each subnet in the Resources). But such policy would have to be applied only to the router, as switches would cut off inside-VLAN communication even port-to-port. I don’t like point to myself but I think we can do a nice and concise ACL for the router and keep the Policy just for the access switches:

 

Hope that helps,

Tomasz

View solution in original post

3 REPLIES 3

Tomasz
Valued Contributor II

Hi Giuseppe,

 

A policy using Policy feature in XMC could be done but it might be a bit of clicking depending on how many local VLANs you have. You could try to use an automated service for this (deny a resource which is a set of L3 locations and provide each subnet in the Resources). But such policy would have to be applied only to the router, as switches would cut off inside-VLAN communication even port-to-port. I don’t like point to myself but I think we can do a nice and concise ACL for the router and keep the Policy just for the access switches:

 

Hope that helps,

Tomasz

Giuseppe_Montan
Contributor

Thanks for your reply

Is the routing device, I am looking for a policy to permit or deny the inter-vlan routing.

I will check the script.

Thanks

Giuseppe

Tomasz
Valued Contributor II

Hi Giuseppe,

 

Is that the routing device or an access switch? If the latter, I’d consider using policy instead or move to the router for inter-VLAN routing restrictions if you don’t worry about unnecessary traffic reaching the router. If it’s your router, you could for example create a script in XMC that will execute following tasks on the switch:

  1. tftp get to download a .pol file stored in XMC server somewhere
  2. configure access-list ((name)) on relevant hardware piece such as port/VLAN/any

 

Hope that helps,

Tomasz

GTM-P2G8KFN