Net destination local override using Zero Touch Provisioning
Customer needs a scalable solution that creates a local net destination override. There is a need to set up general policies allowing or denying traffic to a local printer, camera or POS device etc
For example a typical store has various network elements that needs to be protected. Let us assume a particular store has network address 10.X.Y.0/24. Default gateway will be always be 10.X.Y.1, 10.X.Y.7 and so on
What is needed is a way to write ACLs that don’t embed real network addresses or alternatively being able to override them at the controller level.
Controller global configurations:
ip access-list session store1
any alias store1 any permit
The above configurations has to be repeated for every distributed retail stores (7K+) stores and will not scale with the current approach. Hence the need for a scalable solution that creates a local net destination override.
Potential solution examples:
If we configure vlan 10 on all the stores though the network ip range are different, with the new approach we can write ACLs that don’t embed real network addresses and alternatively we will be able to override them at the controller level.
host vlan 10 offset 5
host vlan 10 offset 8
The subnets to a particular VLAN can be assigned by the bulk edit tool. With the above, we could pick whatever the subnet (e.g. 10.1.1.0/24) assigned to vlan 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.
host vlan 200 offset 1
ip access-list session store-override
any alias store any permit
alias store any any deny
(C1) #show acl ace-table acl 60
411: any 220.127.116.11 255.255.255.255 0 0-0 0-0 f80001:permit
412: 18.104.22.168 255.255.255.255 any 0 0-0 0-0 f80000:deny
413: any any 0 0-0 0-0 f180000:deny
C1) #show acl acl-table 60
ACL Type ACE Index Rule Count Ace Count Name Applied
--- ---- --------- ---------- --------- ---- -------
60 session 411 2 3 store-override 0
Total ACE entries in use = 344
Total free ACE entries = 7336
Free ACE entries at the bottom = 7266
Next ACE entry to use = 414 (table 1)
Ace entries reused 0 times
ACL count 61, tunnel acl 0