Overview

Net-service names are used as an alias in defining ACL and classifier rules for defined lists. An alias of net-service will configure a list of hosts, networks, or subnets.

Extended ACL and classifiers can have both source IP, destination IP and port number along with protocol in its ACE. An alias-based ACE for an extended ACL or classifier, therefore allows the use of an alias of net-service protocol and destination port.

The use of net-destination and net-service helps reduce effort required to configure ACL and classifier rules.

Net-destination is a list of hosts, networks, or subnets that are used to configure ACL and classifier rules.

There are two types of ACLs and classifiers that are supported and configured on the switch:

  • Standard

  • Extended

Standard

The standard ACL and classifier can have an IP source or network in the ACE. To define the alias-based ACE for standard ACL or classifier, only use an alias of net-destination for the source.

Example - standard ACL

net-destination src-ip
      host 10.120.0.1
      host 10.91.1.1
      host 10.0.100.12   

   net-destination destn-ip 
      host 16.90.51.12
      host 10.93.24.1

   net-service tcp-service tcp 100
   ip access-list extended “acl1”
      permit alias src-ip alias destn-ip 
         alias tcp-service

Example - standard classifier

net-destination src-ip
      host 10.120.0.1
      host 10.91.1.1
      host 10.0.100.12   

   net-destination destn-ip 
      host 16.90.51.12
      host 10.93.24.1

   net-service tcp-service tcp 100
   class ipv4 “abc”
      match alias “src-ip” alias “destn-ip” 
         alias "tcp-service”

Extended

The extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. To define an alias-based ACE for an extended ACL, use an alias of net-destination for the source and destination and an alias of net-service for the protocol and destination port. Alias-based ACE will not support access-control based on source port which is a limitation of the net-service command. The use of net-service will also restrict the operators that can be specified for port number to equalsand range.

Example - extended ACL

Switch(config)# ip access-list extended aext1
Switch(config-ext-nacl)#
   permit tcp host 10.100.12.1 gt 23 16.90.0.0 /16 range 200 400
Switch(config-ext-nacl)# exit 

Net-service Limitations

  • Alias-based ACE will not support access-control based on source port which is a limitation of the net-service command. The use of net-service will also restrict operators specified for port number to equals and range.
    • Operators lt, gt, equal,negative, and range for the source port in the ACL or classifier rule are not specified using the options available in net-service.

    • Operators lt, gt, negative are not specified for destination port using the options available in net-service.

    • Only the ACL and classifier will be affected when changes are made to an existing net-service. Either the rule must be reapplied to the ACL or classifier, or the switch must be rebooted to affect the service.

  • When using user roles see Policy Commands

Limitations of Net-destination

  • Limited to IPv4 addresses per syntax.

  • Any changes made to an existing net-destination that is used by an ACL or classifier, will be applied on the ACL or classifier only when the rule is reapplied to it or when switch is rebooted.

  • The number of entries for a single net-destination is limited. The number of net-destinations configurable on a switch is also limited.

  • A considerable amount of memory (for global structures) will be allocated when alias-based ACEs are configured which may cause issues on a switch with low memory.

  • The Host or Domain name cannot be specified as an entry in a net-destination.

  • Application level gateway will not be supported as the existing ACL or classifier infra does not support ALG.

  • SNMP support to configure and delete net-destination, net-service, and the alias-based rules will not be provided.

  • The ‘invert’ and ‘range’ option have been deprecated as per ArubaOS-Switch 7.4 CLI Reference Guide and hence will not be supported. However, the functionality of ‘invert’ option can be achieved through the ‘deny’ rule.

  • RADIUS server-based ACL or classifier application to interface/VLAN will not be supported for ACLs or classifiers with alias-based rules.

  • When using user roles see Policy Commands