I'm pretty new to Aruba switching, so I hope someone can help me out with this.
I'm setting up a stack of two 3810M switches to act as a building router on our main campus. There are a couple of rooms in that building that will need to be isolated. We want them to have no access to internal networks but we want them to have Internet access.
I've created the vlans and the access lists. I've applied the access lists and tested the restricted access. Everything works as intended. No problems!
Where I'm struggling is that I also tried to build the access lists using defined "netdestination" entries in the switch.
network 192.168.0.0 255.255.0.0 position 218
network 172.16.0.0 255.240.0.0 position 219
network 10.0.0.0 255.0.0.0 position 220
This didn't work. I found no way to use a defined netdestination in the extended ACL.
In Cisco, I created object groups then used those groups in creation of the ACL. Is there a similar method in Aruba? Or must we specify every individual network/host in the extended ACL.
Hi! are you so kind to show us the problematic Extended ACL where you tried to use the defined "Internal_Nets" net destination?
That's the issue. I couldn't figure out how to incorporate the defined net destination into an extended ACL.
The ACL I ended up using in my 3810 had no defined net destinations and the ACL works as intended.
ip access-list extended "Room_102_ACL"
10 deny ip xx.xx.xx.0 0.0.0.255 10.0.0.0 0.255.255.255
20 deny ip xx.xx.xx.0 0.0.0.255 172.16.0.0 255.240.0.0
30 deny ip xx.xx.xx.0 0.0.0.255 192.168.0.0 255.255.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
xx.xx.xx.0 represents the subnet defined for that classroom.
I have to replicate this for multiple classrooms that need to be restricted. Using defined objects in Cisco makes it a little quicker/easier since you can reuse those defined objects in multiple ACLs.
In Cisco, objects were defined as below:
object-group ip address Internal_Nets10.0.0.0 255.0.0.01722.214.171.124 255.240.0.019126.96.36.199 255.255.0.0
Then those objects are referenced in the ACL:
ip access-list extended Restricted_Classroomdeny ip any addrgroup Internal_Netspermit ip any any
Just wondering if Aruba has a similar method/process.
The syntax is a little bit different, looking here it would probably be as per your scenario:
ip access-list extended "Room_102_ACL"10 deny ip <source-network> 0.0.0.255 alias-dst "Internal_Nets"40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255exit
When I tried that, I found that starting the ACE with "deny ip" to block all ip traffic matching the rule prevents the use of the defined netdestination aliases.
It seems that in order to use the aliases, you must define a "netservice" and reference it in the ACE:
deny alias-src Room_102 alias-dst Internal_Nets alias-srvc <netservice>
Creating the netservice requires use of a specific tcp or udp port or a specific IP protocol number. It doesn't appear possible to block all IP traffic while using defined netdestination aliases for source and/or destination within the ACE.
So it doesn't seem possible to create an ACE like this one:
deny ip <source-network> 0.0.0.255 alias-dst "Internal_Nets"
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.