SD-WAN

 View Only
  • 1.  Third Octet Wildcard Configuration

    Posted May 01, 2024 10:01 AM
    Edited by kurtw1 May 01, 2024 10:24 AM

    I have a customer that is moving from a Cisco router connection to an Aruba SD-Branch solution.  They have 300+ sites and are restricting ping access to their LAN subnet to only the LAN IP address on the router.  I have to port this ACL to a 9004 gateway, but am having  trouble entering the ACL line in a group level ACL to apply to all of their store GWs.  

    Current config on Cisco router:

     permit ip any 172.33.0.253 0.0.255.0
     permit ip any 172.23.0.253 0.0.255.0
     permit ip any 172.16.0.253 0.0.255.0
     permit ip any 172.17.0.253 0.0.255.0

    When I try to enter the same on the Aruba GW using subnet mask 255.255.0.255, I get an invalid subnet response and I can't save that ACL line.  

    Is there a solution for this, or will I need to put in a different ACL at each store site with the exact address?

    I saw where this question was asked before, but there is no definitive answer supplied.

    I could also use assistance with this ACL line:

    permit tcp any any established

    Thanks for your help!



  • 2.  RE: Third Octet Wildcard Configuration
    Best Answer

    Posted May 02, 2024 01:22 AM

    You should be able to achieve this by configuring a Network Alias match condition with rule-type 'network' which has supported wildcard masks for a while now. (Security > Aliases > Network Alias).  You can then use the alias as a match condition in your policy.

    Regarding 'permit tcp any any established', this likely isn't necessary as the session ACLs in ArubaOS are stateful - return traffic will be processed using the existing session.




  • 3.  RE: Third Octet Wildcard Configuration

    Posted May 03, 2024 10:45 AM

    This solved my problem, thank you!




  • 4.  RE: Third Octet Wildcard Configuration

    Posted May 02, 2024 10:23 AM


    Dear ,

    Based on the email in the image, the customer is having trouble porting an ACL from a Cisco router to a 9004 Aruba gateway. The specific issue is that the subnet mask of 255.255.255.255 is not valid on the Aruba gateway.

    Here are some possible solutions:

    • Use a /32 subnet mask: A /32 subnet mask is equivalent to a single IP address. This would allow only the specified IP address to be pinged. For example, to allow pings only to the IP address 172.33.0.253, the ACL rule would be:
    permit icmp any 172.33.0.253 255.255.255.255 
    • Create a group object: The customer can create a group object that contains all of the allowed IP addresses. Then, they can reference the group object in the ACL rule. This would allow for easier management of the ACL in the future.

    Here are the steps to create a group object and an ACL rule that references the group object:

    1. Create a group object that contains all of the allowed IP addresses. For example:
    (object-group network test-group)  (network 172.33.0.253 255.255.255.255)  (network 172.23.0.253 255.255.255.255)  (network 172.16.0.253 255.255.255.255)  (network 172.17.0.253 255.255.255.255) 
    1. Create an ACL rule that references the group object. For example:
    permit icmp any test-group any 

    It is important to note that these are just two possible solutions, and the best solution for the customer will depend on their specific needs.

    I hope this helps! Let me know if you have any other questions.

    Upload an image

    This prompt requires an image that you need to add. Tap the image button to upload an image.

    Need a little help with this prompt?

    Power up your prompt and Gemini will expand it to get you better results





    Thanks & Regards,
      
    Hanamant CM