Wired Intelligent Edge

 View Only
last person joined: 2 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

AOS-S to AOS-CX ACE conversion

This thread has been viewed 43 times

  • 1.  AOS-S to AOS-CX ACE conversion

    MVP GURU
    Posted Oct 12, 2022 09:59 AM
    Hi all, I'm planning a migration (read: copy) of some active ACLs on AOS-S based core into a new AOS-CX based core (currently in staging) and I have few questions.

    Provided that basically all my deployed ACLs are based on this example ACEs scheme: 

    ip access-list extended "VLAN-x"

1000 remark "Permit VLAN x ICMP echo-reply to any permitted destination"
1000 permit icmp 10.255.x.0 0.0.0.255 0.0.0.0 255.255.255.255 0
1010 remark "Permit VLAN x ICMP echo to any permitted destination"
1010 permit icmp 10.255.x.0 0.0.0.255 0.0.0.0 255.255.255.255 8
1020 remark "Permit VLAN x NTP to ntp"
1020 permit udp 10.255.x.0 0.0.0.255 10.255.m.n 0.0.0.0 eq 123
1030 remark "Permit VLAN x DNS UDP to ns"
1030 permit udp 10.255.x.0 0.0.0.255 10.255.m.n 0.0.0.0 eq 53
1040 remark "Permit VLAN x DNS TCP to ns"
1040 permit tcp 10.255.x.0 0.0.0.255 10.255.m.n 0.0.0.0 eq 53
...
1100 remark "Permit VLAN x IP to VLAN y host 1" 
1100 permit ip 10.255.x.0 0.0.0.255 10.255.y.1 0.0.0.0 
1110 remark "Permit VLAN x IP to VLAN y host 2" 
1110 permit ip 10.255.x.0 0.0.0.255 10.255.y.2 0.0.0.0
...
1200 remark "Permit VLAN x IP to VLAN z /24 Subnet" 
1200 permit ip 10.255.x.0 0.0.0.255 10.255.z.0 0.0.0.255
...
1300 remark "Deny VLAN x to 192.168/16 CIDR Private VLANs"
1310 deny ip 10.255.x.0 0.0.0.255 192.168.0.0 0.0.255.255 log
1320 remark "Deny VLAN x to 172.16/12 CIDR Private VLANs"
1320 deny ip 10.255.x.0 0.0.0.255 172.16.0.0 0.15.255.255 log
1330 remark "Deny VLAN x to 10.0.0.0/8 CIDR Private VLANs"
1330 deny ip 10.255.x.0 0.0.0.255 10.0.0.0 0.255.255.255 log
...
2000 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit

Applied at VLAN-x with incoming direction:

ip access-group "VLAN-x" in

    I'm trying to understand how the above ACEs should be translated into corresponding ArubaOS-CX's ACEs given that I will apply the corresponding ACLs as incoming into the related VLAN:

    ACEs grammar (minimum example) something like:

access-list ip VLAN-x

1000 comment "Permit VLAN-x IP to VLAN-y host 1"
1000 permit any 10.255.x.0/24 10.255.y.1/32
1100 comment "Deny VLAN-x IP to entire 10.255/16 Segment"
1100 deny any 10.255.x.0/24 10.255.0.0/16 log
2000 comment "Final any any any permit before the implicit any any any deny"
2000 permit any any any

(implicit deny any any any)

and, at VLAN-x context level, set:

apply access-list ip VLAN-x in ​

    Working with a VSX and Active Gateways do I need to care about any specific items (as example, VSX synching of ACL between Primary and Secondary VSX members) or should I just translate the above ACEs using the right AOS-CX grammar (IP becomes any and segment notation become simplified) and no other ACEs must be considered? here I imply that I'm in front of a like-for-like migration routing scenario, at least from the point of view of VLANs and downlinked peers.

    What's about if I have a new Transit VLAN to upstream Firewalls (managing traffic with any possible external destinations) while before such of Transit VLAN was not implemented?

    Thanks for any suggestion!


  • 2.  RE: AOS-S to AOS-CX ACE conversion

    MVP GURU
    Posted Jan 15, 2023 06:44 PM
    No contribution? I'd love to hear any suggestion...
    Original Message


  • 3.  RE: AOS-S to AOS-CX ACE conversion

    EMPLOYEE
    Posted Jan 16, 2023 06:59 AM
    You can apply your ACL on the VLAN the same way that was used on AOS-S.
    ACL can be synchronized between primary and secondary, and it is applied on VLAN on secondary as well.

    You may want to investigate usage of the ACL on the port or on the transit VLAN.
    It depends on security rules, type of traffic...

    Original Message


  • 4.  RE: AOS-S to AOS-CX ACE conversion

    MVP GURU
    Posted Jan 16, 2023 07:12 AM
    Hi Vincent! thanks you for answering!

    With regard to "You may want to investigate usage of the ACL on the port or on the transit VLAN. It depends on security rules, type of traffic..." (and especially for Transit VLAN to Firewalls) are you suggesting that I should add an ACL to Transit VLAN too? I'm trying to imagine what type of ACEs should such of ACL would contain (the idea of above ACLs implementation is block/permit traffic between internal VLANs and to leave any traffic to external networks permitted because border Firewalls will apply their policies to such of traffic to/from external networks...)...so there is some sort of "trust" given to the Firewall policy.

    Clearly I could jump in and - with an ACL applied to Transit VLAN - permit only to reach some known external destinations (particular well known remote private networks) and denying any other private network A/B/C block along with permitting any other public external destination knowing that - in any case - the Firewall policy should manage any outgoing/incoming request from/to Core Switch. I'm just speculating.
    Original Message