1. trying to block DNS IP (which is outside AdP domain) from a device in IOT .. IOT has tag 268, for DNS I create an adaptive policy object with DNS IP, then tied policy object to an SGT (10) in a group, then created a policy to block traffic between 268 and 10. but I can still ping it.
My understanding was when the traffic hits switch, switch will look at destination IP, then figure out Dest SGT from ip-sgt mapping, evaluate policy and drop the traffic, but it’s still pinging, am I not understanding this correctly ?
2. for east west traffic it’s working fine, but I can still ping infrastructure SGT traffic, for instance if I block IOT from staff, then IOT will not ping staff, but IOT can still ping staff SVI IP, which is tagged with infrastructure SGT and IOT to Infra sgt is blocked.
appreciate any help and meaningful insight