Wired Intelligent Edge (Campus Switching and Routing)

Reply
Aruba Employee

ArubaOS-Switch: Netdestination in Downloadable User Roles

Netdestination in Downloadable User Roles

One of the new enhancements in the ArubaOS-Switch 16.06 release is the ability to configure Netdestination and Netservice in a downloadable user role.  Netdestination allows the use of aliases in creating class filters.  This simplifies the creation of those class filters, by decreasing the number of lines of syntax within the class filter.  In a typical user role configuration, a user wanting to create a traffic class with filters to match or ignore a set of non-contiguous hosts or subnets, as well as utilizing a list of TCP/UDP ports, would have to configure many individual lines of syntax, for each user role.  This would appear as below:

 

class ipv4 “abc

  10 match tcp 10.120.0.1 0.0.0.0 16.90.51.120.0.0.0 eq 100

  20 match tcp 10.120.0.1 0.0.0.0 10.93.24.10.0.0.0 eq 100

  30 match tcp 10.91.1.1 0.0.0.0 16.90.51.120.0.0.0 eq 100

  40 match tcp 10.91.1.1 0.0.0.0 10.93.24.1 0.0.0.0 eq 100

  50 match tcp 10.0.100.12 0.0.0.0 16.90.51.12 0.0.0.0 eq 100

  60 match tcp 10.0.100.12 0.0.0.0 10.93.24.1 0.0.0.0 eq 100

 

This can be a tedious task and consume many engineering hours in editing and troubleshooting.  Netdestination and Netservice can reduce the effort in creating these class filters, whether using a local user role existing on the local access switch or a role downloaded from ClearPass to the switch. 

 

A Netdestination is a list of hosts, networks, or subnets that are used to configure ACL rules and class filters.  An example is shown below:

 

Switch(config)#[no] netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] |

network <IP-ADDR/MASK-LENGTH> [position <NUM>]}

Table 1: Netdestination parameters

Parameter

Description

Host

Configures a single IPv4 host

Network

An IPv4 subnetwork consisting of an IP address and netmask

Position

Specifies the position of a host/network/range in the net-destination. This optional parameter is specific to a Netdestination - will be used only to sort entries in a list.

A Netservice is a list of alphanumerical names of UDP and TCP port numbers that are used in configuring ACL rules and class filters. An example is shown below:

 

Switch(config)#[no] netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]

Table 2: Netservice parameters

Parameter

Description

Range

Protocol

IP protocol number.

0-255

TCP

Configure an alias for a TCP protocol

 

UDP

Configure an alias for a UDP protocol

 

<port-num>

Specify a single TCP/UDP port or two port numbers for a range.

0-65535

List <<P1,P2,...P6>

Specify a list of port numbers separated by commas up to six ports.

0-65535

 

Netdestination and Netservice names can be used as aliases in defining class filters for the defined lists, in a single line. Therefore, an alias of net-destination and net-service will configure a list of hosts, networks or subnets and alpha numerical names of UDP and/or TCP port numbers under a new command structure and then be linked to a class.


Figure 1 shows an example of Netdestination and Netservice as used in a downloaded user role.  This policy is denying Remote Desktop Protocol (RDP) access from one client to another.netdest.png

 Figure 1: Netdestination configured in a downloadable user role

 

As shown in Figure 1, netdestination and netservice increase the readability of the class filter, as the alias name is defined by the user, and can also be reused for other filters.

 

Note: User policy cannot have an IP address defined as a “source”, the source IP address must be specified as “any”, as the client’s MAC address is automatically populated as the source address within a user policy as it is applied to the client.

 

 NOTE: Netdestination is currently only supported in Advanced Mode for Downloadable User Roles. (August 2018)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: