Hi all, I'm planning a
migration (read: copy) of some active ACLs on AOS-S based core into a new AOS-CX based core (currently in staging) and I have few questions.
Provided that basically all my deployed ACLs are based on this example ACEs scheme:
ip access-list extended "VLAN-x"
1000 remark "Permit VLAN x ICMP echo-reply to any permitted destination"
1000 permit icmp 10.255.x.0 0.0.0.255 0.0.0.0 255.255.255.255 0
1010 remark "Permit VLAN x ICMP echo to any permitted destination"
1010 permit icmp 10.255.x.0 0.0.0.255 0.0.0.0 255.255.255.255 8
1020 remark "Permit VLAN x NTP to ntp"
1020 permit udp 10.255.x.0 0.0.0.255 10.255.m.n 0.0.0.0 eq 123
1030 remark "Permit VLAN x DNS UDP to ns"
1030 permit udp 10.255.x.0 0.0.0.255 10.255.m.n 0.0.0.0 eq 53
1040 remark "Permit VLAN x DNS TCP to ns"
1040 permit tcp 10.255.x.0 0.0.0.255 10.255.m.n 0.0.0.0 eq 53
...
1100 remark "Permit VLAN x IP to VLAN y host 1"
1100 permit ip 10.255.x.0 0.0.0.255 10.255.y.1 0.0.0.0
1110 remark "Permit VLAN x IP to VLAN y host 2"
1110 permit ip 10.255.x.0 0.0.0.255 10.255.y.2 0.0.0.0
...
1200 remark "Permit VLAN x IP to VLAN z /24 Subnet"
1200 permit ip 10.255.x.0 0.0.0.255 10.255.z.0 0.0.0.255
...
1300 remark "Deny VLAN x to 192.168/16 CIDR Private VLANs"
1310 deny ip 10.255.x.0 0.0.0.255 192.168.0.0 0.0.255.255 log
1320 remark "Deny VLAN x to 172.16/12 CIDR Private VLANs"
1320 deny ip 10.255.x.0 0.0.0.255 172.16.0.0 0.15.255.255 log
1330 remark "Deny VLAN x to 10.0.0.0/8 CIDR Private VLANs"
1330 deny ip 10.255.x.0 0.0.0.255 10.0.0.0 0.255.255.255 log
...
2000 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
Applied at VLAN-x with incoming direction:
ip access-group "VLAN-x" in
I'm trying to understand how the above ACEs should be translated into corresponding ArubaOS-CX's ACEs given that I will apply the corresponding ACLs as incoming into the related VLAN:
ACEs grammar (minimum example) something like:
access-list ip VLAN-x
1000 comment "Permit VLAN-x IP to VLAN-y host 1"
1000 permit any 10.255.x.0/24 10.255.y.1/32
1100 comment "Deny VLAN-x IP to entire 10.255/16 Segment"
1100 deny any 10.255.x.0/24 10.255.0.0/16 log
2000 comment "Final any any any permit before the implicit any any any deny"
2000 permit any any any
(implicit deny any any any)
and, at VLAN-x context level, set:
apply access-list ip VLAN-x in
Working with a VSX and Active Gateways do I need to care about any specific items (as example, VSX synching of ACL between Primary and Secondary VSX members) or should I just translate the above ACEs using the right AOS-CX grammar (IP becomes any and segment notation become simplified) and no other ACEs must be considered? here I imply that I'm in front of a like-for-like migration routing scenario, at least from the point of view of VLANs and downlinked peers.
What's about if I have a new Transit VLAN to upstream Firewalls (managing traffic with any possible external destinations) while before such of Transit VLAN was not implemented?
Thanks for any suggestion!