Overview

Net-destination is a list of hosts, networks, or subnets that are used to configure Access Control List (ACL) and classifier rules.

An alias of net-destination configures a list of hosts, networks or subnets. An alias of net-services configures the protocols or TCP/UDP ports.

Extended ACL and classifiers can have both source IP, destination IP and port number along with protocol in its ACE. An alias-based Access Control Entry (ACE) for an extended ACL or classifier allows the use of an alias of net-service protocol and destination port.

The use of net-destination and net-service reduces effort required to configure ACL and classifier rules.

There are two types of Access Control Lists (ACLs) and classifiers that are supported and configured on the switch:

  • Standard ACL

  • Extended ACL

Standard ACL

The standard ACL and classifier can have an IP source or network in the ACE (Access Control Entry). To define the alias-based ACE for standard ACL or classifier, only use a net-destination alias for the source.

Example - standard ACL

  netdestination src-ip
      host 10.120.0.1
      host 10.91.1.1
      host 10.0.100.12   

   netdestination destn-ip 
      host 16.90.51.12
      host 10.93.24.1

   netservice tcp-service tcp 100
   ip access-list standard “acl1”
   10 permit alias-src src-ip 
   exit   

Example - Classifier

  netdestination src-ip
      host 10.120.0.1
      host 10.91.1.1
      host 10.0.100.12   
      network 10.1.1.0/24
   netdestination destn-ip 
      host 16.90.51.12
      host 10.93.24.1

   netservice tcp-service tcp 100
   class ipv4 “abc”
      match alias-src “src-ip” alias-dst “destn-ip” 
         alias-srvc "tcp-service”

Extended ACL

The extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. To define an alias-based ACE for an extended ACL, use a net-destination alias for the source and destination and a net-service alias for the protocol and destination port.

Example - extended ACL

Switch(config)# ip access-list extended aext1
Switch(config-ext-nacl)# 10 permit alias-src "src-ip" alias-dst "destn-ip" alias-srvc "tcp-service"
Switch(config-ext-nacl)# exit 

Net-service Limitations

Alias-based ACE will not support access-control based on source port. The use of net-service restrict operators specified for port number to equals and range.
  • Operators lt, gt, equal,negative, and range for the source port in the ACL or classifier rule are not specified using the options available in net-service.

  • Operators lt, gt, negative are not specified for destination port using the options available in net-service.

  • Only the ACL and classifier will be affected when changes are made to an existing net-service. Either the rule must be reapplied to the ACL or classifier, or the switch must be rebooted to affect the service.

For user roles configuration, see Policy Commands.

Net-destination Limitations

  • Limited to IPv4 addresses per syntax.

  • Any changes made to an existing net-destination that is used by an ACL or classifier are applied on the ACL or classifier only when the rule is reapplied to it or when switch is rebooted.

  • The number of entries for a single net-destination is limited. The number of net-destinations configurable on a switch is also limited.

  • A considerable amount of memory (for global structures) will be allocated when alias-based ACEs are configured which may cause issues on a switch with low memory.

  • The Host or Domain name cannot be specified as an entry in a net-destination.

  • Application level gateway will not be supported as the existing ACL or classifier infra does not support ALG.

  • SNMP support to configure and delete net-destination, net-service, and the alias-based rules will not be provided.

  • The ‘invert’ and ‘range’ option have been deprecated as per ArubaOS-Switch 7.4 CLI Reference Guide and hence will not be supported. However, the functionality of ‘invert’ option can be achieved through the ‘deny’ rule.

  • RADIUS server-based ACL or classifier application to interface/VLAN will not be supported for ACLs or classifiers with alias-based rules.

For user roles configuration, see Policy Commands.