Requirement:Customer needs a scalable solution that creates a local net destination override. There is a need to set up general policies allowing or denying traffic to a local printer, camera or POS device etc.
Example: A typical store has various network elements that needs to be protected. Let us assume a particular store has network address 10.X.Y.0/24.
Default gateway will be always be 10.X.Y.1, POS may be 10.X.Y.7 and so on…
Solution:What is needed is a way to write ACLs that don’t embed real network addresses or alternatively being able to override them at the controller level.
Topology:
Configuration:Current Scenario controller global configurations:
netdestination store1
host 10.0.0.1
host 10.0.0.7
!
ip access-list session store1
any alias store1 any permit
!
user-role store1
session-acl store1
The above configurations has to be repeated for every distributed retail stores (7K+) stores and will not scale with the current approach. Hence the need for a scalable solution that creates a local net destination override.
Potential solution examples:
If we configure vlan 10 on all the stores though the network ip range are different, with the new approach we can write ACLs that don’t embed real network addresses and alternatively we will be able to override them at the controller level.
netdestination store
!
host vlan 10 offset 5
host vlan 10 offset 8
!
The subnets to a particular VLAN can be assigned by the bulk edit tool. With the above, we could pick whatever the subnet (e.g. 10.1.1.0/24) assigned to vlan 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.
CLI configuration:
netdestination store
host vlan 200 offset 1
!
ip access-list session store-override
any alias store any permit
alias store any any deny
!
#show acl ace-table acl 60
411: any 110.0.0.1 255.255.255.255 0 0-0 0-0 f80001:permit
412: 110.0.0.1 255.255.255.255 any 0 0-0 0-0 f80000:deny
413: any any 0 0-0 0-0 f180000:deny
(C1) #show acl acl-table 60
AclTable
--------
ACL Type ACE Index Rule Count Ace Count Name Applied
--- ---- --------- ---------- --------- ---- -------
60 session 411 2 3 store-override 0
Total ACE entries in use = 344
Total free ACE entries = 7336
Free ACE entries at the bottom = 7266
Next ACE entry to use = 414 (table 1)
Ace entries reused 0 times
ACL count 61, tunnel acl 0
VerificationUI Configuration and verification: