Controller Based WLANs

Net destination local override via Zero Touch Provisioning
Requirement:

Customer needs a scalable solution that creates a local net destination override. There is a need to set up general policies allowing or denying traffic to a local printer, camera or POS device etc.

 

Example: A typical store has various network elements that needs to be protected. Let us assume a particular store has network address 10.X.Y.0/24.

Default gateway will be always be 10.X.Y.1, POS may be 10.X.Y.7 and so on…

 



Solution:

What is needed is a way to write ACLs that don’t embed real network addresses or alternatively being able to override them at the controller level.

 

Topology:

 



Configuration:

Current Scenario controller global configurations:

netdestination store1

  host 10.0.0.1

  host 10.0.0.7

!

ip access-list session store1

  any alias store1 any permit

!

user-role store1

  session-acl store1

 

The above configurations has to be repeated for every distributed retail stores (7K+) stores and will not scale with the current approach. Hence the need for a scalable solution that creates a local net destination override.

 

Potential solution examples:

 

If we configure vlan 10 on all the stores though the network ip range are different, with the new approach we can write ACLs that don’t embed real network addresses and alternatively we will be able to override them at the controller level.

 

netdestination store

!

 host vlan 10 offset 5

 host vlan 10 offset 8

!

 

The subnets to a particular VLAN can be assigned by the bulk edit tool. With the above, we could pick whatever the subnet (e.g. 10.1.1.0/24) assigned to vlan 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.

 

 

CLI configuration:

 

netdestination store

 

  host vlan 200 offset 1

!

ip access-list session store-override

  any   alias store any  permit

  alias store any any  deny

!

 

#show acl ace-table acl 60

  411: any 110.0.0.1 255.255.255.255  0  0-0  0-0  f80001:permit

  412: 110.0.0.1 255.255.255.255 any  0  0-0  0-0  f80000:deny

  413: any any  0  0-0  0-0  f180000:deny

 

 

(C1) #show acl acl-table 60

AclTable

--------

ACL  Type     ACE Index  Rule Count  Ace Count  Name            Applied

---  ----     ---------  ----------  ---------  ----            -------

60   session  411        2           3          store-override  0

Total ACE entries in use = 344

Total free ACE entries = 7336

Free ACE entries at the bottom = 7266

Next ACE entry to use = 414 (table 1)

Ace entries reused 0 times

ACL count 61, tunnel acl 0

 



Verification

UI Configuration and verification:

 

 

 

 

 

 

 

Version history
Revision #:
2 of 2
Last update:
‎05-30-2016 02:38 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.