I did a test with a stack and worked like a charm, it downloaded ACLs I had, VLANs and other things
Original Message:
Sent: May 14, 2024 07:03 PM
From: ariyap
Subject: Downlodable ACL for CX
Note that there is an NAE agent that downloads the server certificate this as well, which makes it easier and you don't need to do the manual way.
You can ask your local Aruba SE for it.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: May 14, 2024 06:39 PM
From: cdelarosa
Subject: Downlodable ACL for CX
Thank you guys i read about DUR today and I find it useful
I can't wait to try it
After reading and looking at Mflowers, and others post and also some documentation I saw how to configure it and what I can do with it. Seems useful, you can even send vlans and other things
Thanks again guys, I ll see if I can try this, this week
Original Message:
Sent: May 14, 2024 03:35 PM
From: Mflowers@beta.team
Subject: Downlodable ACL for CX
"That method is using a DUR rather than applying an ACL through the return attributes, which is what the original question asked for, and requires the additional setup for supporting DUR."
That is fair and I glossed over that. Thank you for specifying/clarifying the need for DUR/ta-cert on the switches.
Original Message:
Sent: May 14, 2024 01:22 PM
From: chulcher
Subject: Downlodable ACL for CX
That method is using a DUR rather than applying an ACL through the return attributes, which is what the original question asked for, and requires the additional setup for supporting DUR.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 14, 2024 11:58 AM
From: Mflowers@beta.team
Subject: Downlodable ACL for CX
I replied to your other post but here is how I do them. To me this is much simpler than the method that ariyap listed. You just need to copy and past the same config that you would use in the CLI:
Here is what would work with the question you asked directly (people on this forum are terrible at answering questions directly).
class ip all
10 match any any any
class ip dhcp-server
10 match udp any any eq dhcp-server
class ip dns
10 match udp any any eq dns
class ip rfc1918
10 match any any 192.168.0.0/255.255.0.0
20 match any any 10.0.0.0/255.0.0.0
30 match any any 172.16.0.0/255.240.0.0
class ipv6 all
10 match any any any
port-access policy deny-internal
10 class ip dns
20 class ip dhcp-server
30 class ip rfc1918 action drop
40 class ipv6 all action drop
50 class ip all
port-access role GUEST-ACCESS
description GUEST-ACCESS
associate policy deny-internal
auth-mode client-mode
client-inactivity timeout none
stp-admin-edge-port
vlan access XXX
Original Message:
Sent: May 10, 2024 09:28 AM
From: cdelarosa
Subject: Downlodable ACL for CX
I was checking the technote but the idea is not using the roles in all their switches, if I don't have the UBT we don't have a way to centralize the rules
If use roles without UBT then I would need to configure those roles on each switches, and there are a lot of switches, and every time I need to modify something I would need to go into all the switches and modify it.
With Nas-filter it works centralized but the problem is that I have no way to modify it, and if you use Nas-filter there is no box I can use like the Cisco downloadable role
Now my question is what should work with CX Switches? Sorry Ariyap I didn't understand this part. If you mean using the same Cisco downloadable enforcement as if it was a Cisco switch? but instead of putting the Cisco ACL which is like this:
permit ip any host x.x.x.x
permit ip any host y.y.y.y.y
deny ip any 10.0.0.0 0.255.255.255
Permit IP any any
i put it like CX like this?
permit in ip from any to x.x.x.x
permit in ip from any to y.y.y.y
deny in ip from any to 10.0.0.0/8
permit in ip from any to any
If it's likes i just said as far i remember i had to put instead of NAS ip-rule something of Nas Cisco and then Cisco downloadable ACL, does that work even if I put NAS Cisco?
Well i haven't check if there is something similar on Aruba Nas for a downlodable ACL
Original Message:
Sent: May 10, 2024 07:03 AM
From: ariyap
Subject: Downlodable ACL for CX
yes it should also work with CX switches, however the better way is to use user-roles
check this technote "Aruba ClearPass Wired Enforcement for CX switches – Part1"
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: May 09, 2024 11:07 PM
From: cdelarosa
Subject: Downlodable ACL for CX
hello guys
I was wondering if i could do this for cx just like i do it for cisco switches?
There is no gateway so no UBT
i can use NAS-Filter-Rule but the problem with this is with the long ACLs
I cannot modify them the order or something like that, i have to delete a lot of acls just to add a new acl. imaging a really long ACL?
it was really easy with the Downloadable ACL feature i have of cisco on the clearpass because i have a box to edith all this but with NAS-Filter i dont have it.
Any Clearpass guru that can help me ? or guide me with a feature that clearpass mostlikely will have i mean if it have it for cisco, if should have it for aruba cx i guess
Thanks!