Overview

  • Standard

  • Extended

Standard

Example - standard ACL 

net-destination src-ip
      host 10.120.0.1
      host 10.91.1.1
      host 10.0.100.12   

   net-destination destn-ip 
      host 16.90.51.12
      host 10.93.24.1

   net-service tcp-service tcp 100
   ip access-list extended “acl1”
      permit alias src-ip alias destn-ip 
         alias tcp-service

Extended

The extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. To define an alias-based ACE for an extended ACL, use an alias of net-destination for the source and destination and an alias of net-service for the protocol and destination port. Alias-based ACE will not support access-control based on source port which is a limitation of the net-service command. The use of net-service will also restrict the operators that can be specified for port number to equalsand range.

Example - extended ACL 

Switch(config)# ip access-list extended aext1
Switch(config-ext-nacl)#
   permit tcp host 10.100.12.1 gt 23 16.90.0.0 /16 range 200 400
Switch(config-ext-nacl)# exit

Net-service Limitations

  • Alias-based ACE will not support access-control based on source port which is a limitation of the net-service command. The use of net-service will also restrict operators specified for port number to equals and range.

    • Operators lt, gt, negative are not specified for destination port using the options available in net-service.

  • When using user roles see Policy Commands

Limitations of Net-destination

  • Limited to IPv4 addresses per syntax.

  • The number of entries for a single net-destination is limited. The number of net-destinations configurable on a switch is also limited.

  • A considerable amount of memory (for global structures) will be allocated when alias-based ACEs are configured which may cause issues on a switch with low memory.

  • The Host or Domain name cannot be specified as an entry in a net-destination.

  • SNMP support to configure and delete net-destination, net-service, and the alias-based rules will not be provided.

  • The ‘invert’ and ‘range’ option have been deprecated as per ArubaOS-Switch 7.4 CLI Reference Guide and hence will not be supported. However, the functionality of ‘invert’ option can be achieved through the ‘deny’ rule.

  • When using user roles see Policy Commands