Configure policy network

ArnaudG · March 22, 2024, 4:03pm

Good morning,

I need to create inter vlan ACLs with many vlan/network. And I end up with a “policy network group” containing a lot of networks on a single line… not very readable.
policy network group 192.168.1.0 mask 255.255.255.0 [...] 192.168.199.0 mask 255.255.255.0

Is it possible to declare independent subnets instead of declaring a “network group” containing the subnets?

example :

network A: 192.168.1.0/24
network B: 192.168.2.0/24
network C: 192.168.3.0/24
network group: NG_A-B A B
network group: NG_B-C B C

Or is it possible to declare a “network group” as a “nework group”?

example :

policy network group NG_A 192.168.1.0 mask 255.255.255.0
policy network group NG_B 192.168.2.0 mask 255.255.255.0
policy network group NG_C 192.168.3.0 mask 255.255.255.0
policy network group NG_A-B NB_A NB_B
policy network group NG_B-C NB_B NB_C

If yes, how ? because I tried several syntaxes without success

THANKS !

Cristek · June 2, 2024, 3:04pm

I don’t have a solution, but I know exactly what you mean…
I have a policy that has 5 subnets in it and it’s not readable at all:

policy network group ‘legit lan’ 192.168.11.0 mask 255.255.255.0 10.10.48.0 mask 255.255.252.0 10.10.56.0 mask 255.255.252.0 192.168.2.0 mask 255.255.255.0 192.168.1.0 mask 255.255.255.0

And simply replacing the “… mask xxx.xxx.xxx.xxx” with a /CIDR would make it so so much readable and short:

policy network group ‘legit lan’ 192.168.11.0/24 10.10.48.0/22 10.10.56.0/22 192.168.2.0/24 192.168.1.0/24

But alas, it’s Alcatel… they don’t listen…

wifi113 · June 7, 2024, 10:23am

Hi all, according to the CLI guide, the syntax is policy network group net_group ip_address [mask net_mask] [ip_address2 [mask net_mask2]…]

The description of the mask2 option reads: Optional mask for the IPv4 or IPv6 address. If no mask is entered, the
natural mask for the address will be used.. So depending on your configuration needs, it could be more readable. I agree that a /CIDR option would be shorter

Cristek · June 8, 2024, 7:16pm

And again, Alcatel being Alcatel…
I presume that ‘natural mask’ means the default class A/B/C subnet mask
Maybe someone from ALE is in these forums

Cristek · June 19, 2024, 6:03pm

Well, I can confirm that -at least on a 2260/2360- this strategy doesn’t work and the mask was needed. I tried the following assuming that the ‘natural mask’ meant the default class A/B/C subnet mask:

policy network group ‘legit lan’ 192.168.11.0 10.10.48.0/22 10.10.56.0/22 192.168.2.0 192.168.1.0

and only the 10.10.x.x subnets that I had declared worked for me. Traffic in 192.168.11.0 192.168.1.0 and 192.168.2.0 did not work for me until I added the mask

wifi113 · June 20, 2024, 8:16am

Hi Cristek,

I did not try this myself but from the description in the CLI Guide, I would try:

policy network group “legit lan” 192.168.11.0 mask 255.255.255.0 10.10.48.0 10.10.56.0 192.168.2.0 192.168.1.0

Regards,