Net-service and Net-destination Downloadable User Role
After net-service and Net-destination support for class filters, user can create class filters with alias. For Downloadable User Role (DUR), all the class policies are configured in CPPM. For Net-service and Net-destination DUR, alias commands should be configured before the policy and class rule are configured in CPPM.
Several devices can reuse downloadable configurations after changing the host or network IP specified in the net-destination.
Example
To allow
ftp/dhcp/dns
netdestination "source_ip" network 0.0.0.0/0 position 1 exit netdestination "destination_ip" network 0.0.0.0/0 position 1 exit netdestination "destination_dhcp_ip" host 255.255.255.255 exit netservice "allowrad" udp 1812 1813 netservice "allowftp" tcp 21 netservice "allowdhcp" udp 67 68 netservice "allowdns" udp 53 class ipv4 "allow-service" 12 match alias-src "any" alias-dst "destination_ip" alias-srvc allowrad 14 match alias-src "any" alias-dst "destination_ip" alias-srvc allowftp 16 match alias-src "any" alias-dst "destination_ip" alias-srvc allowdns 10 match alias-src "any" alias-dst "destination_dhcp_ip" alias-srvc allowdhcp exit policy user "allow-service" 10 class ipv4 "allow-service" action permit exit aaa authorization user-role name "netdestrole" policy "allow-service" vlan-id 2098 exit
Limitations
There is a delay introduced during download of configuration from CPPM to translate alias based class filters.
The name given to user-defined net-destination and net-service cannot be used in dynamically configured net-destination and net-service through CPPM.
The downloaded net-destination, net-service and alias based class filters are not be shown by show commands.
CPPM is the only RADIUS server where downloading of net-destination and net-service support can be provided.
CPPM supports net-service and net-destination in only advanced mode. Standard mode is not supported.