Hello all,
I am reading how to create Firewall policy and I see something like user any udp 68 deny, but how can I know if this is source or destination port number, and how can I configure port and destination ports specifically ? If I added two port numbers will the first one be source PN and second as destination PN.
In addition, does each policy has an implecit deny?
in the campus configureation document release 8, when they define the employee role they have four polices in this role:
1- common
2-sip
3-ocs
4-allow all (predifined)
if common will have implicit deny at the end this mean nothing will reach the remaining policies,
if common will not have explicit deny at the end and it will exist at the end of allow-all then why aruba defined a permit to certain DNS server IF they are not going to deny traffic to other dns servers.:-
the following is from aruba document:
MC1-Sunnyvale-3600
!
ip access-list session common
user any udp 68 deny
any any svc-dhcp permit
any any svc-icmp permit <-- allow icmp 0
user alias dns-servers svc-dns permit
!
I belive we need also (at the end of the above red lines),
any any icmp deny
user any svc-dns deny
can someone classify if I am right or how aruba denied other DNS traffic ?