Wired Intelligent Edge

I am seeing some conflicting messages therefore another message. I wanted to see if I can apply an access-list filter that filters just on a few IP addresses. 

I created a filter on another platform to filter the IP addresses in the 10.1.1.0/24 subnet the following hosts should be permitted:

10.1.1.0

10.1.1.1

10.1.1.4

10.1.1.5

The rule: permit icmp any 10.1.1.0 0.0.0.5 

Will allow this traffic.

If I apply the reverse logic to the Aruba CX platform I do not seem to get this to work, I am using the VM version.

permit icmp any 10.1.1.0/255.255.255.250 

Am I doing something wrong or is this feature not supported?

This is a bit a corner case, and it makes your policy quite hard to read (for humans). Also, many network engineers already struggle with 'normal' netmasks and with these more complex binary operations it may be even harder to understand and find an issue, they may even think it's a typing error in the configuration and correct it.

But you can things very efficient in some cases. Not sure what 'do not seem to get this work' means, but I tested on a 6300 physical switch, and there the command is accepted. It's a bit hard to test if it also works, but if the command is not accepted on the Switch emulator, it may be version/VM related.

CP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.0 anyCP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 anyCP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.254 anyCP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 any    20 permit any 10.1.1.0/255.255.250.254 anyCP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.254 172.16.0.0/255.240.5.23CP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 any    20 permit any 10.1.1.0/255.255.250.254 any    30 permit any 10.1.1.0/255.255.250.254 172.16.0.0/255.240.5.23

I am seeing some conflicting messages therefore another message. I wanted to see if I can apply an access-list filter that filters just on a few IP addresses. 

I created a filter on another platform to filter the IP addresses in the 10.1.1.0/24 subnet the following hosts should be permitted:

10.1.1.0

10.1.1.1

10.1.1.4

10.1.1.5

The rule: permit icmp any 10.1.1.0 0.0.0.5 

Will allow this traffic.

If I apply the reverse logic to the Aruba CX platform I do not seem to get this to work, I am using the VM version.

permit icmp any 10.1.1.0/255.255.255.250 

Am I doing something wrong or is this feature not supported?

Hi Herman,

I have to disagree with you on this one, a discontiguous access-list is something that we often use, maybe not my example but just in general. The command itself is accepted in the virtual AOS-CX is just denies all traffic instead of just denying everything except .0,.1,.4, and .5 in my example. 

Can I conclude that wildcard masks/discountiguous access-lists are not supported?

This is a bit a corner case, and it makes your policy quite hard to read (for humans). Also, many network engineers already struggle with 'normal' netmasks and with these more complex binary operations it may be even harder to understand and find an issue, they may even think it's a typing error in the configuration and correct it.

But you can things very efficient in some cases. Not sure what 'do not seem to get this work' means, but I tested on a 6300 physical switch, and there the command is accepted. It's a bit hard to test if it also works, but if the command is not accepted on the Switch emulator, it may be version/VM related.

CP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.0 anyCP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 anyCP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.254 anyCP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 any    20 permit any 10.1.1.0/255.255.250.254 anyCP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.254 172.16.0.0/255.240.5.23CP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 any    20 permit any 10.1.1.0/255.255.250.254 any    30 permit any 10.1.1.0/255.255.250.254 172.16.0.0/255.240.5.23

I am seeing some conflicting messages therefore another message. I wanted to see if I can apply an access-list filter that filters just on a few IP addresses. 

I created a filter on another platform to filter the IP addresses in the 10.1.1.0/24 subnet the following hosts should be permitted:

10.1.1.0

10.1.1.1

10.1.1.4

10.1.1.5

The rule: permit icmp any 10.1.1.0 0.0.0.5 

Will allow this traffic.

If I apply the reverse logic to the Aruba CX platform I do not seem to get this to work, I am using the VM version.

permit icmp any 10.1.1.0/255.255.255.250 

Am I doing something wrong or is this feature not supported?

I'm not 100% sure if it is considered to be supported.. given the point that configuration is accepted and the documentation is not fully clear, you may ask Aruba Support for a full confirmation. If it is not supported, I would expect that the command would be rejected.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 14, 2023 08:07 AM
From: mvanoverbeek
Subject: Discontiguous access-list masks

Hi Herman,

I have to disagree with you on this one, a discontiguous access-list is something that we often use, maybe not my example but just in general. The command itself is accepted in the virtual AOS-CX is just denies all traffic instead of just denying everything except .0,.1,.4, and .5 in my example. 

Can I conclude that wildcard masks/discountiguous access-lists are not supported?

Original Message:
Sent: Dec 14, 2023 04:36 AM
From: Herman Robers
Subject: Discontiguous access-list masks

This is a bit a corner case, and it makes your policy quite hard to read (for humans). Also, many network engineers already struggle with 'normal' netmasks and with these more complex binary operations it may be even harder to understand and find an issue, they may even think it's a typing error in the configuration and correct it.

But you can things very efficient in some cases. Not sure what 'do not seem to get this work' means, but I tested on a 6300 physical switch, and there the command is accepted. It's a bit hard to test if it also works, but if the command is not accepted on the Switch emulator, it may be version/VM related.

CP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.0 anyCP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 anyCP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.254 anyCP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 any    20 permit any 10.1.1.0/255.255.250.254 anyCP1-6300F-03-DynSeg(config-acl-ip)# permit ip 10.1.1.0/255.255.250.254 172.16.0.0/255.240.5.23CP1-6300F-03-DynSeg(config-acl-ip)# show running-config | inc 250    10 permit any 10.1.1.0/255.255.250.0 any    20 permit any 10.1.1.0/255.255.250.254 any    30 permit any 10.1.1.0/255.255.250.254 172.16.0.0/255.240.5.23

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Dec 13, 2023 03:10 PM
From: mvanoverbeek
Subject: Discontiguous access-list masks

I am seeing some conflicting messages therefore another message. I wanted to see if I can apply an access-list filter that filters just on a few IP addresses. 

I created a filter on another platform to filter the IP addresses in the 10.1.1.0/24 subnet the following hosts should be permitted:

10.1.1.0

10.1.1.1

10.1.1.4

10.1.1.5

The rule: permit icmp any 10.1.1.0 0.0.0.5 

Will allow this traffic.

If I apply the reverse logic to the Aruba CX platform I do not seem to get this to work, I am using the VM version.

permit icmp any 10.1.1.0/255.255.255.250 

Am I doing something wrong or is this feature not supported?

I am seeing some conflicting messages therefore another message. I wanted to see if I can apply an access-list filter that filters just on a few IP addresses. 

I created a filter on another platform to filter the IP addresses in the 10.1.1.0/24 subnet the following hosts should be permitted:

10.1.1.0

10.1.1.1

10.1.1.4

10.1.1.5

The rule: permit icmp any 10.1.1.0 0.0.0.5 

Will allow this traffic.

If I apply the reverse logic to the Aruba CX platform I do not seem to get this to work, I am using the VM version.

permit icmp any 10.1.1.0/255.255.255.250 

Am I doing something wrong or is this feature not supported?

The two different syntax variants you're using work slightly differently.

permit icmp any 10.1.1.0 0.0.0.5
is the standard ACL syntax with the network address and the wildcard pattern. 0.0.0.5 sets bits 0 and 2 to wildcard, matching 0, 1, 4, 5 in the last octet.

permit icmp any 10.1.1.0/255.255.255.250
is trying to create the wildcard pattern from the subnet mask 255.255.255.250 - the subnet mask needs to be contiguous though, so it's not accepted. In contrast, 255.255.255.248 would work, creating the wildcard pattern 0.0.0.7 (which isn't what you want though).

The pattern you're aiming for can only be created by using the former syntax, it's more flexible. Non-contiguous wildcard patterns work entirely fine but need to be designed carefully to avoid unwanted side effects.

I am seeing some conflicting messages therefore another message. I wanted to see if I can apply an access-list filter that filters just on a few IP addresses. 

I created a filter on another platform to filter the IP addresses in the 10.1.1.0/24 subnet the following hosts should be permitted:

10.1.1.0

10.1.1.1

10.1.1.4

10.1.1.5

The rule: permit icmp any 10.1.1.0 0.0.0.5 

Will allow this traffic.

If I apply the reverse logic to the Aruba CX platform I do not seem to get this to work, I am using the VM version.

permit icmp any 10.1.1.0/255.255.255.250 

Am I doing something wrong or is this feature not supported?