Net-service and Net-destination Local user role

Syntax

Now, Net-service and Net-destination is available for Local user role. Local User role can apply the class filter rule for the authenticated user to control L2 and L3 traffic. 

netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] | 
network <IP-ADDR/MASK-LENGTH> [position <NUM>]}
no netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] | 
network <IP-ADDR/MASK-LENGTH> [position <NUM>]}

netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]
no netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]

Parameters

Host

Configures a single IPv4 host.

Network

An IPv4 subnet consisting of an IP address and subnet mask.

Position

Specifies the position of a host/network/range in the net-destination. This optional parameter is specific to a net-destination, and will be used only to sort entries in a list.

TCP

Configure an alias for a TCP protocol.

UDP

Configure an alias for a UDP protocol.

Protocol0-255

IP protocol number

port-num0-65535

Specify a single port or two port numbers for a range.

port-list0-65535

Specify a list of port numbers separated by commas up to six ports.

Examples

switch(net-dest)#show user-role TestInitialRole
User Role Information

   Name                              : TestInitialRole
   Type                              : local
   Reauthentication Period (seconds) : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     :
   Tagged VLAN                       :
   Captive Portal Profile            :
   Policy                            :
   Tunnelednode Server Redirect      : Enabled
   Secondary Role Name               : secondaryrole



switch(net-dest)#show netdestination abc

Name : abc
  Position   Type           IP Address         Mask
---------- -------------- ------------------ ------------------
220        Host           10.10.10.0          -




switch(config)#show netservice

  Name       : abc
  Protocol   : tcp
  Port       : 1

Limitations

  • Alias-based class filters can be configured for IPv4 class filters alone.

  • The configuration of net-destination, net-service, and alias-based class filters supports command-line interface and DUR. SNMP support to configure and delete net-destination, net-service, and the alias-based class filters are not provided.

  • Both types of class filters can exist in a switch configuration, but not within same class. When alias-based class filters are configured, it is internally translated to individual lines of class filters for processing by protocol. Therefore, single alias-based class filter results in multiple single-line class filters. The total number of class filters in a switch is calculated as a sum of the translated class filters and other single-line class filters. This sum must not exceed the maximum permissible limit.

  • After entering command for an alias-based ACE, console will be available for execution of next command without any delay. However, the execution of another command to configure ACE will be prevented with a warning message. This action prevents corruption of switch configuration.

  • The sequence number for next alias-based class filter will be based on the entire single-line class filters.

  • If there is a duplicate entry during configuration of alias-based class filter, the alias-based class filter will not be created. RMON will be logged for such events. Error message will not be sent to user. However, remaining rules will be configured.

  • If all the entries formed during translation of an alias-based class filter are duplicate, RMON will be logged for each of such entries. There will not be any rule corresponding to such alias-based class filter configured in hardware, but the running-configuration will display the alias-based class filter. When the next alias-based class filter is configured, it will overwrite this class filter and will not visible in running-configuration.

  • User cannot modify net-destination or net-service when they are in use by one or more alias class filters or ACEs. To modify, remove all the alias class filters and ACEs used in the particular net-destination or net-service.

  • The limit for maximum number of net-destination and net-service configurable on switch must remain the same.

  • Operators such as lt,gt,eq,neq,range for source port in the class filter rule cannot be specified using the options available in net-service.

  • Operators such as lt,gt and neq cannot be specified for destination port using the options available in net-service.

  • Resequencing of alias-based class filters is not be allowed.

  • Remark string for a class with alias-based class filters is not be supported.

  • In a class with alias-based class filters, deletion will not be possible using sequence number alone.