A port-access role for AOS-CX switches has this policy applied to it:
plaintext
Copy code
port-access policy mypolicy
10 class ip zoneC action drop
20 class ip zoneA action drop
100 class ip zoneB
The classes have this configuration:
plaintext
Copy code
class ip zoneC
10 match tcp 10.2.0.0/16 eq https
class ip zoneA
10 match ip any 10.1.0.0/16
class ip zoneB
10 match ip any 10.0.0.0/8
The company wants to permit clients in this role to access 10.2.12.0/24 with HTTPS. What should you do?
Comprehensive Detailed Explanation
The requirement is to permit HTTPS traffic from clients to the 10.2.12.0/24 subnet.
ZoneC is configured to drop all HTTPS traffic to the 10.2.0.0/16 subnet. Therefore, the first match in the zoneC class (priority 10) will drop the desired traffic.
To override this behavior, you must add a higher-priority rule (lower rule number) to zoneC that explicitly matches 10.2.12.0/24 and permits the traffic.
Thus, adding the rule 5 match any 10.2.12.0/24 eq https to zoneC ensures the desired traffic is permitted while maintaining the drop behavior for the rest of 10.2.0.0/16.
Reference
AOS-CX Role-Based Access Control documentation.
Understanding class priority and policy rule ordering in AOS-CX.
Currently there are no comments in this discussion, be the first to comment!