Here is a video (a little age but still accurate) from the Airheads Channel: AOS User Roles
But the config would likely look like something below:
class ipv4 "ALL"
1 match tcp any any
exit
class ipv4 "InternalDHCP"
1 match udp any any eq 67
exit
class ipv4 "InternalDNS"
1 match tcp any host 10.211.102.100 eq 53
2 match udp any host 10.211.102.100 eq 53
3 match tcp any host 10.125.105.100 eq 53
4 match udp any host 10.125.105.100 eq 53
exit
class ipv4 "InternalLAN"
1 match ip any 10.0.0.0/8
exit
policy user "Guest-Device-EW"
1 class ipv4 "InternalDNS" action permit
2 class ipv4 "InternalDHCP" action permit
3 class ipv4 "InternalLAN" action deny
10 class ipv4 "ALL" action permit
exit
aaa authorization user-role name "Guest-Device" policy "Guest-Device-EW"
exit
------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.
------------------------------
Original Message:
Sent: Mar 21, 2024 04:43 AM
From: Marky_Mark
Subject: class ipv4
Hi
I have basic roles on our 5400R switches sent from clearpass with a simple policy such as:
policy user "PERMIT-ALL" 10 class ipv4 "IP-ANY-ANY" action permit
I would to see if I can expand that to create a network isolation type policy, let certain ip addresses through and block the rest. I am unsure on how to program this.
Is there a guide or example I can follow - I haven't seen much information on it over the web so far.
Thanks