• Standard ACL

  • Extended ACL

Standard ACL

Example - standard ACL

  netdestination src-ip

   netdestination destn-ip 

   netservice tcp-service tcp 100
   ip access-list standard “acl1”
   10 permit alias-src src-ip 

Extended ACL

The extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. To define an alias-based ACE for an extended ACL, use a net-destination alias for the source and destination and a net-service alias for the protocol and destination port.

Example - extended ACL

Switch(config)# ip access-list extended aext1
Switch(config-ext-nacl)# 10 permit alias-src "src-ip" alias-dst "destn-ip" alias-srvc "tcp-service"
Switch(config-ext-nacl)# exit 

Net-service Limitations

Alias-based ACE will not support access-control based on source port. The use of net-service restrict operators specified for port number to equals and range.
  • Operators lt, gt, negative are not specified for destination port using the options available in net-service.

For user roles configuration, see Policy Commands.

Net-destination Limitations

  • Limited to IPv4 addresses per syntax.

  • The number of entries for a single net-destination is limited. The number of net-destinations configurable on a switch is also limited.

  • A considerable amount of memory (for global structures) will be allocated when alias-based ACEs are configured which may cause issues on a switch with low memory.

  • The Host or Domain name cannot be specified as an entry in a net-destination.

  • SNMP support to configure and delete net-destination, net-service, and the alias-based rules will not be provided.

  • The ‘invert’ and ‘range’ option have been deprecated as per ArubaOS-Switch 7.4 CLI Reference Guide and hence will not be supported. However, the functionality of ‘invert’ option can be achieved through the ‘deny’ rule.

For user roles configuration, see Policy Commands.