Domain-name ACL feature in IAP 4.0

Aruba Employee

Environment  :  Guest Users wants service access like Apple app Store & Android Market place etc..

 

Problem:
----------------
Captive Portal Guest network providers want to allow access to services such as Apple App Store and Android Market Place

Challenge:
------------------
These services require HTTPS and do not have fixed public IP addresses, only domain names

Solution:
--------------



·         Extend the domain-name ACL feature in AOS to support a distributed networking system such as instant
·         Each AP would intercept and cache the DNS requests and responses from client devices
·         During the ACL rule matching process, use the cached DNS-IP mapping to determine if a particular session should be permitted or denied.
·         We can support a max of 127 domains and 2048 IP address mappings of the 127 domains.
·         When the client roams, the mapping for that particular client is moved from its previously associated AP to its newly associated AP


WEBUI Configuration:
-------------------------------

 

 

rtaImage.jpg

 

rtaImage 1.png

 

 

CLI Configuration:-
----------------------------


•      [no]rule alias ”domain” match proto <proto> <port> permit/deny/dst-nat/src-nat


d8:c7:c8:c0:85:0c# show acl domains
role-domain
-----------
role-domain 
inused
-----------  ------
taobao.com   used(1)



d8:c7:c8:c0:85:0c# show datapath acl 138
Datapath ACL 138 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/
etype filter
       S - SNAT, D - DNAT, R - redirect, r - reverse redirect m – Mirror
       I - Invert SA,
i - Invert DA, H - high prio, O - set prio, C - Classify Media
       A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6

       d - Domain DA
----------------------------------------------------------------
 1:  any 
any  17 0-65535 8209-8211  P4 
 2:  any  taobao.com  any  P
d
 3:  any 
any  any  P4


d8:c7:c8:c0:85:0c# show datapath dns-id-map
Hash index entries:
id:1 entry:0

Entry:0 id:1 amazon.com

220.181.78.241
220.181.113.251 220.181.141.241 220.181.141.251
106.120.181.41 106.120.181.51
6 entries
---------

Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 11:18 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: