Netdestination in Downloadable User Roles
One of the new enhancements in the ArubaOS-Switch 16.06 release is the ability to configure Netdestination and Netservice in a downloadable user role. Netdestination allows the use of aliases in creating class filters. This simplifies the creation of those class filters, by decreasing the number of lines of syntax within the class filter. In a typical user role configuration, a user wanting to create a traffic class with filters to match or ignore a set of non-contiguous hosts or subnets, as well as utilizing a list of TCP/UDP ports, would have to configure many individual lines of syntax, for each user role. This would appear as below:
class ipv4 “abc
10 match tcp 10.120.0.1 0.0.0.0 16.90.51.120.0.0.0 eq 100
20 match tcp 10.120.0.1 0.0.0.0 10.93.24.10.0.0.0 eq 100
30 match tcp 10.91.1.1 0.0.0.0 16.90.51.120.0.0.0 eq 100
40 match tcp 10.91.1.1 0.0.0.0 10.93.24.1 0.0.0.0 eq 100
50 match tcp 10.0.100.12 0.0.0.0 16.90.51.12 0.0.0.0 eq 100
60 match tcp 10.0.100.12 0.0.0.0 10.93.24.1 0.0.0.0 eq 100
This can be a tedious task and consume many engineering hours in editing and troubleshooting. Netdestination and Netservice can reduce the effort in creating these class filters, whether using a local user role existing on the local access switch or a role downloaded from ClearPass to the switch.
A Netdestination is a list of hosts, networks, or subnets that are used to configure ACL rules and class filters. An example is shown below:
Switch(config)#[no] netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] |
network <IP-ADDR/MASK-LENGTH> [position <NUM>]}
Table 1: Netdestination parameters
Parameter
|
Description
|
Host
|
Configures a single IPv4 host
|
Network
|
An IPv4 subnetwork consisting of an IP address and netmask
|
Position
|
Specifies the position of a host/network/range in the net-destination. This optional parameter is specific to a Netdestination - will be used only to sort entries in a list.
|
A Netservice is a list of alphanumerical names of UDP and TCP port numbers that are used in configuring ACL rules and class filters. An example is shown below:
Switch(config)#[no] netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]
Table 2: Netservice parameters
Parameter
|
Description
|
Range
|
Protocol
|
IP protocol number.
|
0-255
|
TCP
|
Configure an alias for a TCP protocol
|
|
UDP
|
Configure an alias for a UDP protocol
|
|
<port-num>
|
Specify a single TCP/UDP port or two port numbers for a range.
|
0-65535
|
List <<P1,P2,...P6>
|
Specify a list of port numbers separated by commas up to six ports.
|
0-65535
|
Netdestination and Netservice names can be used as aliases in defining class filters for the defined lists, in a single line. Therefore, an alias of net-destination and net-service will configure a list of hosts, networks or subnets and alpha numerical names of UDP and/or TCP port numbers under a new command structure and then be linked to a class.
Figure 1 shows an example of Netdestination and Netservice as used in a downloaded user role. This policy is denying Remote Desktop Protocol (RDP) access from one client to another.
Figure 1: Netdestination configured in a downloadable user role
As shown in Figure 1, netdestination and netservice increase the readability of the class filter, as the alias name is defined by the user, and can also be reused for other filters.
Note: User policy cannot have an IP address defined as a “source”, the source IP address must be specified as “any”, as the client’s MAC address is automatically populated as the source address within a user policy as it is applied to the client.
NOTE: Netdestination is currently only supported in Advanced Mode for Downloadable User Roles. (August 2018)