Requirement:Customer needs a scalable solution that creates a local net destination override. There is a need to set up general policies allowing or denying traffic to a local printer, camera or POS device etc
Solution:For example a typical store has various network elements that needs to be protected. Let us assume a particular store has network address 10.X.Y.0/24. Default gateway will be always be 10.X.Y.1, 10.X.Y.7 and so on
What is needed is a way to write ACLs that don’t embed real network addresses or alternatively being able to override them at the controller level.
Topology
Configuration:Controller global configurations:
CLI
netdestination store1
host 10.0.0.1
host 10.0.0.7
!
ip access-list session store1
any alias store1 any permit
!
user-role store1
session-acl store1
!
The above configurations has to be repeated for every distributed retail stores (7K+) stores and will not scale with the current approach. Hence the need for a scalable solution that creates a local net destination override.
Potential solution examples:
If we configure vlan 10 on all the stores though the network ip range are different, with the new approach we can write ACLs that don’t embed real network addresses and alternatively we will be able to override them at the controller level.
netdestination store
host vlan 10 offset 5
host vlan 10 offset 8
The subnets to a particular VLAN can be assigned by the bulk edit tool. With the above, we could pick whatever the subnet (e.g. 10.1.1.0/24) assigned to vlan 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.
CLI configuration
netdestination store
host vlan 200 offset 1
!
ip access-list session store-override
any alias store any permit
alias store any any deny
!
UI:
Verification(C1) #show acl ace-table acl 60
411: any 110.0.0.1 255.255.255.255 0 0-0 0-0 f80001:permit
412: 110.0.0.1 255.255.255.255 any 0 0-0 0-0 f80000:deny
413: any any 0 0-0 0-0 f180000:deny
C1) #show acl acl-table 60
AclTable
--------
ACL Type ACE Index Rule Count Ace Count Name Applied
--- ---- --------- ---------- --------- ---- -------
60 session 411 2 3 store-override 0
Total ACE entries in use = 344
Total free ACE entries = 7336
Free ACE entries at the bottom = 7266
Next ACE entry to use = 414 (table 1)
Ace entries reused 0 times
ACL count 61, tunnel acl 0