Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

Net destination local override using Zero Touch Provisioning 

Mar 07, 2016 05:32 PM

Requirement:

Customer needs a scalable solution that creates a local net destination override. There is a need to set up general policies allowing or denying traffic to a local printer, camera or POS device etc
 

 

 



Solution:

For example a typical store has various network elements that needs to be protected. Let us assume a particular store has network address 10.X.Y.0/24. Default gateway will be always be 10.X.Y.1,  10.X.Y.7 and so on

What is needed is a way to write ACLs that don’t embed real network addresses or alternatively being able to override them at the controller level.

 

Topology 

 

 

 



Configuration:

Controller global configurations:

CLI

 

netdestination store1
  host 10.0.0.1
  host 10.0.0.7
!
ip access-list session store1
  any alias store1 any permit
!
user-role store1
  session-acl store1
!


The above configurations has to be repeated for every distributed retail stores (7K+) stores and will not scale with the current approach. Hence the need for a scalable solution that creates a local net destination override.

Potential solution examples:

If we configure vlan 10 on all the stores though the network ip range are different, with the new approach we can write ACLs that don’t embed real network addresses and alternatively we will be able to override them at the controller level.

netdestination store
  host vlan 10 offset 5
  host vlan 10 offset 8

The subnets to a particular VLAN can be assigned by the bulk edit tool. With the above, we could pick whatever the subnet (e.g. 10.1.1.0/24) assigned to vlan 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.
 


CLI configuration 

netdestination store
  host vlan 200 offset 1
!
ip access-list session store-override
  any   alias store any  permit
  alias store any any  deny
!
 

UI:

 

 

 

 



Verification

(C1) #show acl ace-table acl 60

  411: any 110.0.0.1 255.255.255.255  0  0-0  0-0  f80001:permit
  412: 110.0.0.1 255.255.255.255 any  0  0-0  0-0  f80000:deny
  413: any any  0  0-0  0-0  f180000:deny


C1) #show acl acl-table 60

AclTable
--------
ACL  Type     ACE Index  Rule Count  Ace Count  Name            Applied
---  ----     ---------  ----------  ---------  ----            -------
60   session  411        2           3          store-override  0

Total ACE entries in use = 344
Total free ACE entries = 7336
Free ACE entries at the bottom = 7266
Next ACE entry to use = 414 (table 1)
Ace entries reused 0 times
ACL count 61, tunnel acl 0

 

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.