last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

netdestination & netservice command on 2930-F

  • 1.  netdestination & netservice command on 2930-F

    Posted Oct 19, 2020 12:53 PM

    I know I should be tunneling this back to the controller,, but because I have a mix of Cisco, Procurve & Aruba switches,, I need to define a complex ACL on an Aruba 2920 or 2930 switch.


    I have hosts on some Aruba 2920 & 2930 switches that I need to lock down to permit only remote hosts & TCP services

    I see that my Aruba 2930 switch has commands for "netdesitination' and "netservice"

    I have been asked to permit a destination of 8 specific ports to 6 specific hosts on the Aruba 2920 & 2930 switch models.
    I am not going to tunnel these hosts back to the controller.

    I have applied the "netdestination" command & netservice command as follows.
    netdestination "Internet_Processors"
    host position 119
    host position 120
    netservice "CC_Proc" tcp list "8023,8300,4113,5223,2207"
    netservice "CC_Proc2" tcp list "23,443"

    I am having problems creating the ACL.

    When I type 'permit alias-src Internet-Processors",, I do not have the "Any" option.

    My goal is to limit the desitination for the host on this switchport to a small group of remote hosts on specific ports.
    In Cisco,, I would create an object-group for this.
    Can I create "alias" groups on the Aruba switch to do the same thing ?

  • 2.  RE: netdestination & netservice command on 2930-F

    Posted Oct 24, 2020 05:21 AM

    What full ACL do you want to configure on the switch ?

  • 3.  RE: netdestination & netservice command on 2930-F

    Posted Oct 26, 2020 05:25 PM



    I think to accomplish the goal of allowing the host to access a limited range of hosts and ports you can use an ACL like the example below, just modifying it to the desired ports and addresses.


    ip access-list extended “Remote-Hosts_and_Ports”

         10 permit udp eq XX

         20 permit udp eq XX

         25 permit TCP eq XX

         30 permit TCP eq XX

         80 deny ip


    And apply it to the desired port


    #interface 11
    ip access-group "Remote-Hosts_and_Ports" in
    untagged vlan 1042