Netservice and Netdestination Local user role

Syntax

Now, Netservice and Netdestination is available for Local user role. Local User role can apply the class filter rule for the authenticated user to control L2 and L3 traffic.

netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] | 
network <IP-ADDR/MASK-LENGTH> [position <NUM>]}
no netdestination <NAME-STR> {host <IP-ADDR> [position <NUM>] | 
network <IP-ADDR/MASK-LENGTH> [position <NUM>]}
netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]
no netservice <NAME-STR> {tcp|udp|<PROTOCOL>} [<PORT-NUM> | <PORT-NUM> | list <PORT-STR>]

Parameters

Host

Configures a single IPv4 host.

Network

An IPv4 subnet consisting of an IP address and subnet mask.

Position

Specifies the position of a host/network/range in the net-destination. This optional parameter is specific to a net-destination, and will be used only to sort entries in a list.

TCP

Configure an alias for a TCP protocol.

UDP

Configure an alias for a UDP protocol.

Protocol0-255

IP protocol number

port-num0-65535

Specify a single port or two port numbers for a range.

port-list0-65535

Specify a list of port numbers separated by commas up to six ports.

Examples

switch(net-dest)#show user-role TestInitialRole
User Role Information

   Name                              : TestInitialRole
   Type                              : local
   Reauthentication Period (seconds) : 0
   Logoff Period (seconds)           : 300
   Untagged VLAN                     :
   Tagged VLAN                       :
   Captive Portal Profile            :
   Policy                            :
   Tunnelednode Server Redirect      : Enabled
   Secondary Role Name               : secondaryrole



switch(net-dest)#show netdestination abc

Name : abc
  Position   Type           IP Address         Mask
---------- -------------- ------------------ ------------------
220        Host           10.10.10.0          -




switch(config)#show netservice

  Name       : abc
  Protocol   : tcp
  Port       : 1

Limitations

  • Alias-based class filters can be configured for IPv4 class filters alone.

  • The configuration of netdestination, netservice, and alias-based class filters supports command-line interface and DUR. SNMP support to configure and delete netdestination, netservice, and the alias-based class filters are not provided.

  • Both types of class filters can exist in a switch configuration, but not within same class. When alias-based class filters are configured, it is internally translated to individual lines of class filters for processing by protocol. Therefore, single alias-based class filter results in multiple single-line class filters. The total number of class filters in a switch is calculated as a sum of the translated class filters and other single-line class filters. This sum must not exceed the maximum permissible limit.

  • After entering command for an alias-based ACE, console will be available for execution of next command without any delay. However, the execution of another command to configure ACE will be prevented with a warning message. This action prevents corruption of switch configuration.

  • The sequence number for next alias-based class filter will be based on the entire single-line class filters.

  • If there is a duplicate entry during configuration of alias-based class filter, the alias-based class filter will not be created. RMON will be logged for such events. Error message will not be sent to user. However, remaining rules will be configured.

  • If all the entries formed during translation of an alias-based class filter are duplicate, RMON is logged for each of such entries. There is no rule corresponding to such alias-based class filter configured in hardware, but the running-configuration will display the alias-based class filter. When the next alias-based class filter is configured, it will overwrite this class filter and will not visible in running-configuration.

  • User cannot modify netdestination or netservice when they are in use by one or more alias class filters or ACEs. To modify, remove all the alias class filters and ACEs used in the particular net-destination or net-service.

  • The limit for maximum number of netdestination and netservice configurable on switch must remain the same.

  • Operators such as lt,gt,eq,neq,range for source port in the class filter rule cannot be specified using the options available in net-service.

  • Operators such as lt,gt and neq cannot be specified for destination port using the options available in net-service.

  • Resequencing of alias-based class filters is not allowed.

  • Remark string for a class with alias-based class filters is not supported.

  • In a class with alias-based class filters, deletion is not possible using sequence number alone.