Q:
How to find what Domain ACls are being resolved from the list in pre-auth role and optimize the configuration accordingly?
Instant 4.0 supports configuration of domain-based Access Control List (ACL) rule. These are similar to regular ACLs, but the destination is mentioned as domain name instead of destination IP addresses. Domain based ACLs are most commonly used in Guest network to white-list HTTPs services such as Apple App Store and Android Market Place in pre-auth role. As these HTTPs web services does not have fixed public IP addresses and may change at any point the only solution is to have domain name acls configured as needed.
In the below example 1, we have allowed access to Google store for WLAN user to download Quick Connect in pre-auth role. Not all the domain acls added below may be used to complete the quick connect download and to find what domains are being resolved, we can execute "show datapath dns-id-map". This command basically maintains DNS cache for request/response intercepted by IAP from client devices.
Example 1:
18:64:72:c2:43:b2# show access-rule Onboard-Redirect Access Rules ------------ Dest IP Dest Mask Dest Match Protocol (id:sport:eport) Application Action Log TOS 802.1P Blacklist App Throttle (Up:Down) Mirror DisScan ClassifyMedia ------- --------- ---------- ------------------------- ----------- ------ --- --- ------ --------- ---------------------- ------ ------- ------------- any any match any permit Yes alias www.apple.com match any permit alias google.com match any permit alias play.google.com match any permit alias 1e100.net match any permit alias mtalk.google.com match any permit alias clients4.google.com match any permit alias android.clients.google.com match any permit alias googleapis.com match any permit alias play.googleapis.com match any permit Vlan Id :0 ACL Captive Portal:external ACL ECP Profile :Onboard CALEA :disable Bandwidth Limit :downstream disable upstream disable
18:64:72:c8:20:a0# show datapath dns-id-map entry:0 id:1 play.google.com entry:1 id:2 *.google.com 216.58.220.46 74.125.68.188 entry:2 id:3 1e100.net entry:3 id:4 mtalk.google.com entry:4 id:5 clients4.google.com entry:5 id:6 android.clients.google.com entry:6 id:7 googleapis.com 216.58.220.42 entry:7 id:8 play.googleapis.com entry:8 id:9 *ggpht.com 216.58.196.97 entry:9 id:10 *gvt1.com 182.79.251.15
In the above output, the only domains used to complete the quick connect download from Google store was *.google.com, googleapis.com, *ggpht.com and *gvt1.com. Now that we know the list of domain acls being used we optimized the pre-auth role(Example 2) to have those ACLs only.
Example 2:
18:64:72:c8:20:a0# show access-rule Onboard-Redirect Access Rules ------------ Dest IP Dest Mask Dest Match Protocol (id:sport:eport) Application Action Log TOS 802.1P Blacklist App Throttle (Up:Down) Mirror DisScan ClassifyMedia ------- --------- ---------- ------------------------- ----------- ------ --- --- ------ --------- ---------------------- ------ ------- ------------- alias *.google.com match any permit alias googleapis.com match any permit alias .*ggpht.com match https permit alias .*gvt1.com match https permit Vlan Id :0
18:64:72:c8:20:a0# show datapath dns-id-map entry:0 id:1 *.google.com 216.58.220.46 74.125.130.188 216.58.220.36 216.58.196.110 entry:1 id:2 googleapis.com 216.58.220.42 entry:2 id:3 *ggpht.com 216.58.196.97 entry:3 id:4 *gvt1.com 182.79.251.15
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.