Overview
Net-destination is a list of hosts, networks, or subnets that are used to configure Access Control List (ACL) and classifier rules.
An alias of net-destination configures a list of hosts, networks or subnets. An alias of net-services configures the protocols or TCP/UDP ports.
Extended ACL and classifiers can have both source IP, destination IP and port number along with protocol in its ACE. An alias-based Access Control Entry (ACE) for an extended ACL or classifier allows the use of an alias of net-service protocol and destination port.
The use of net-destination and net-service reduces effort required to configure ACL and classifier rules.
There are two types of Access Control Lists (ACLs) and classifiers that are supported and configured on the switch:
Standard ACL
Extended ACL
Standard ACL
The standard ACL and classifier can have an IP source or network in the ACE (Access Control Entry). To define the alias-based ACE for standard ACL or classifier, only use a net-destination alias for the source.
Example - standard ACL
netdestination src-ip
host 10.120.0.1
host 10.91.1.1
host 10.0.100.12
netdestination destn-ip
host 16.90.51.12
host 10.93.24.1
netservice tcp-service tcp 100
ip access-list standard “acl1”
10 permit alias-src src-ip
exit
Example - Classifier
netdestination src-ip
host 10.120.0.1
host 10.91.1.1
host 10.0.100.12
network 10.1.1.0/24
netdestination destn-ip
host 16.90.51.12
host 10.93.24.1
netservice tcp-service tcp 100
class ipv4 “abc”
match alias-src “src-ip” alias-dst “destn-ip”
alias-srvc "tcp-service”
Extended ACL
The extended ACL can have both source IP, destination IP and port number along with protocol in its ACE. To define an alias-based ACE for an extended ACL, use a net-destination alias for the source and destination and a net-service alias for the protocol and destination port.
Example - extended ACL
Switch(config)# ip access-list extended aext1 Switch(config-ext-nacl)# 10 permit alias-src "src-ip" alias-dst "destn-ip" alias-srvc "tcp-service" Switch(config-ext-nacl)# exit
Net-service Limitations
equals and
range.
Operators
lt,gt,equal,negative, andrangefor the source port in the ACL or classifier rule are not specified using the options available in net-service.Operators
lt,gt,negativeare not specified for destination port using the options available in net-service.Only the ACL and classifier will be affected when changes are made to an existing net-service. Either the rule must be reapplied to the ACL or classifier, or the switch must be rebooted to affect the service.
For user roles configuration, see Policy Commands.
Net-destination Limitations
Limited to IPv4 addresses per syntax.
Any changes made to an existing net-destination that is used by an ACL or classifier are applied on the ACL or classifier only when the rule is reapplied to it or when switch is rebooted.
The number of entries for a single net-destination is limited. The number of net-destinations configurable on a switch is also limited.
A considerable amount of memory (for global structures) will be allocated when alias-based ACEs are configured which may cause issues on a switch with low memory.
The Host or Domain name cannot be specified as an entry in a net-destination.
Application level gateway will not be supported as the existing ACL or classifier infra does not support ALG.
SNMP support to configure and delete net-destination, net-service, and the alias-based rules will not be provided.
The ‘invert’ and ‘range’ option have been deprecated as per ArubaOS-Switch 7.4 CLI Reference Guide and hence will not be supported. However, the functionality of ‘invert’ option can be achieved through the ‘deny’ rule.
RADIUS server-based ACL or classifier application to interface/VLAN will not be supported for ACLs or classifiers with alias-based rules.
For user roles configuration, see Policy Commands.