Wired

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

netdestination & netservice command on 2930-F

  • 1.  netdestination & netservice command on 2930-F

    Posted Oct 19, 2020 12:53 PM

    I know I should be tunneling this back to the controller,, but because I have a mix of Cisco, Procurve & Aruba switches,, I need to define a complex ACL on an Aruba 2920 or 2930 switch.

     

    I have hosts on some Aruba 2920 & 2930 switches that I need to lock down to permit only remote hosts & TCP services

    I see that my Aruba 2930 switch has commands for "netdesitination' and "netservice"

    I have been asked to permit a destination of 8 specific ports to 6 specific hosts on the Aruba 2920 & 2930 switch models.
    I am not going to tunnel these hosts back to the controller.

    I have applied the "netdestination" command & netservice command as follows.
    ******************************************
    netdestination "Internet_Processors"
    host 51.55.143.210 position 119
    host 51.55.143.110 position 120
    exit
    netservice "CC_Proc" tcp list "8023,8300,4113,5223,2207"
    netservice "CC_Proc2" tcp list "23,443"
    ****************************************

    I am having problems creating the ACL.

    When I type 'permit alias-src Internet-Processors",, I do not have the "Any" option.

    My goal is to limit the desitination for the host on this switchport to a small group of remote hosts on specific ports.
    In Cisco,, I would create an object-group for this.
    Can I create "alias" groups on the Aruba switch to do the same thing ?




  • 2.  RE: netdestination & netservice command on 2930-F

    Posted Oct 24, 2020 05:21 AM

    What full ACL do you want to configure on the switch ?



  • 3.  RE: netdestination & netservice command on 2930-F

    Posted Oct 26, 2020 05:25 PM

    Hello.

     

    I think to accomplish the goal of allowing the host to access a limited range of hosts and ports you can use an ACL like the example below, just modifying it to the desired ports and addresses.

     

    ip access-list extended “Remote-Hosts_and_Ports”

         10 permit udp 192.168.10.10 255.255.255.255 10.10.10.10 255.255.255.255 eq XX

         20 permit udp 192.168.10.10 255.255.255.255 10.10.10.20 255.255.255.255 eq XX

         25 permit TCP 192.168.10.10 255.255.255.255 10.10.10.30 255.255.255.255 eq XX

         30 permit TCP 192.168.10.10 255.255.255.255 10.10.10.40 255.255.255.255 eq XX

         80 deny ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

     

    And apply it to the desired port

     

    #interface 11
    ip access-group "Remote-Hosts_and_Ports" in
    untagged vlan 1042
    exit