alias

Configures the following types of aliases: network, VLAN, host, string, network-service, etc. Aliases are objects having a unique name and content that is determined by the alias type (for example, network, VLAN, network-service, etc.).

A typical, large enterprise network, consists of multiple sites (RF Domains) having similar configuration parameters with few elements that vary, such as networks or network ranges, hosts having different IP addresses, and VLAN IDs or URLs. These elements can be defined as aliases (object oriented wireless firewalls) and used across sites by applying overrides to the object definition. Using aliases results in a configuration that is easier to understand and maintain.

Multiple instances of an alias (same type and same name) can be defined at any of the following levels: global, RF Domain, profile, or device. An alias defined globally functions as a top-level-object (TLO). Global aliases are not mandatory, and can be defined at the domain-level, or profile, or device-level only. An alias defined on a device is applicable to that device only. An alias defined on a profile applies to every device using the profile. Similarly, aliases defined at the RF Domain level apply to all devices within that domain.

Aliases defined at any given level can be overridden at any of the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.

The different aliases types supported are:

address-range alias – Maps a user-friendly name to a range of IP addresses. An address-range alias can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote location‘s network range is 172.16.13.20 through 172.16.13.110, the remote location‘s ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location.
host alias – Maps a user-friendly name to a specific host (identified by its IP address. For example, 192.168.10.23). A host alias can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote location‘s local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements.
network alias – Maps a user-friendly name to a network. A network alias can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote location‘s network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements.
network-group alias – Maps a user-friendly name to a single or a range of addresses of devices, hosts, and network configurations. Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20.
A network-group alias can contain a maximum of eight (8) host entries, eight (8) network entries, and eight (8) IP address-range entries. A maximum of 32 network-group alias entries can be created.

A network-group alias can be used in IP firewall rules to substitute hosts, subnets, and IP address ranges.
network-service alias – Maps a user-friendly name to service protocols and ports. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network-service alias. When used with an ACL, the network-service alias defines the service-specific components of the ACL rule. Overrides can be applied to the service alias, at the device level, without modifying the ACL. Application of overrides to the service alias allows an ACL to be used across sites.
Use a network-service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node.
number alias – Maps a user-friendly name to a number
vlan alias – Maps a user-friendly name to a VLAN ID. A VLAN alias can be used at different deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an alias. At the remote deployment location, the network is functional with a VLAN ID of 26, but utilizes the name defined at the centrally managed network. A new VLAN need not be created specifically for the remote deployment.
string alias – Maps a user-friendly name to a specific string (for example, RF Domain name). A string alias can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.
encrypted-string alias – Maps a user-friendly name to a string value. The string value of this alias is encrypted when "password-encryption" is enabled. Encrypted-string aliases can be used for string configuration parameters that are encrypted by the "password-encryption" feature.
hashed-string alias – Maps a user-friendly name to a hashed-string value. Hashed-string aliases can be used for string configuration parameters that are hashed, such as passwords.

Note

When used with ACLs, network, network-group, and network-service aliases act as enhanced firewalls.

Supported in the following platforms:

Access Points — AP410i/e, AP460i/e, AP505i, AP510i/e, AP560i/h, AP7522, AP7532, AP7562, AP7612, AP7632, AP7662, AP8432, AP8533
Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

alias [address-range|encrypted-string|hashed-string|host|network|network-group|
network-service|number|string|vlan]

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

alias host <HOST-ALIAS-NAME> <HOST-IP>

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>]

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> 
{<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> 
{<NETWORK-ADDRESS/MASK>}]

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|
ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias string <STRING-ALIAS-NAME> <LINE>

alias vlan <VLAN-ALIAS-NAME> <1-4094>

Parameters

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>


address-range <ADRESS-RANGE-ALIAS-NAME>	Creates an address range alias, defining a range of IP addresses <ADRESS-RANGE-ALIAS-NAME> – Specify the address range alias name. Note: Alias name should begin with ‘$‘.
<STARTING-IP> to <ENDING-IP>	Associates a range of IP addresses with this address range alias <STARTING-IP> – Specify the first IP address in the range. to <ENDING-IP> – Specify the last IP address in the range.

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>


encrypted-string <ENCRYPTED-STRING-ALIAS-NAME>	Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server (management policy config mode). <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias name. Note: Alias name should begin with ‘$‘.
[0\|2] <LINE>	Configures the value associated with the alias name specified in the previous step [0\|2] <LINE> – Configures the alias value Note: If password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below: nx9500-6C8809(config)#show running-config !............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da// ! --More-- nx9500-6C8809 In the above show > running-config output, the ‘2‘ displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text. However, if password-encryption is disabled the clear text is displayed as is: nx9500-6C8809(config)#show running-config !............................... ! alias encrypted-string $enString 0 test11223344 ! --More-- nx9500-6C8809 For more information on enabling password-encryption, see password-encryption.

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>


hashed-string <HASHED-STRING-ALIAS-NAME>	Creates an alias for a hashed string. Use this alias for configuration values that are hashed strings, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-password. <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias name. Note: Alias name should begin with ‘$‘.
<LINE>	Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config ! alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv ! alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 0 --More-- nx9500-6C8809 In the above show > running-config output, the ‘1‘ displayed before the hashed-string alias value indicates that the displayed text is hashed and not clear text.

alias host <HOST-ALIAS-NAME> <HOST-IP>


host <HOST-ALIAS-NAME>	Creates a host alias, defining a single network host <HOST-ALIAS-NAME> – Specify the host alias name. Note: Alias name should begin with ‘$‘.
<HOST-IP>	Associates the network host‘s IP address with this host alias. For example, ‘alias host $HOST 1.1.1.100‘. In this example, the host alias name is: $HOST and the host IP address it is mapped to is: 1.1.1.100. <HOST-IP> – Specify the network host‘s IP address.

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>


network <NETWORK-ALIAS-NAME>	Creates a network alias, defining a single network address <NETWORK-ALIAS-NAME> – Specify the network alias name. Note: Alias name should begin with ‘$‘.
<NETWORK-ADDRESS/MASK>	Associates a single network with this network alias. For example, 'alias network $NET 1.1.1.0/24‘. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24. <NETWORK-ADDRESS/MASK> – Specify the network‘s address and mask.

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> 
{<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> 
{<NETWORK-ADDRESS/MASK>}]


network <NETWORK-GROUP-ALIAS-NAME>	Creates a network-group alias <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name. Note: Alias name should begin with ‘$‘. The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-group alias elements at the device or profile level. After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses.
address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>}	Associates a range of IP addresses with this network-group alias <STARTING-IP> – Specify the first IP address in the range. to <ENDING-IP> – Specify the last IP address in the range. <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured.
host <HOST-IP> {<HOST-IP>}	Associates a single or multiple hosts with this network-group alias <HOST-IP> – Specify the hosts‘ IP address. <HOST-IP> – Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured.
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}	Associates a single or multiple networks with this network-group alias <NETWORK-ADDRESS/MASK> – Specify the network‘s address and mask. <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one network. A maximum of eight (8) networks can be configured.

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|
igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|
ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}


alias network-service <NETWORK-SERVICE-ALIAS-NAME>	Configures an alias that specifies available network services and the corresponding source and destination software ports <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service alias name. Note: Alias name should begin with ‘$‘. Network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-service alias elements at the device or profile level.
proto [<0-254>\| <WORD>\|eigrp\|gre\| igmp\|igp\|ospf\|vrrp]	Use one of the following options to associate an Internet protocol with this network-service alias: <0-254> – Identifies the protocol by its number. Specify the protocol number from 0 - 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the UDP (User Datagram Protocol) designated number is 17. <WORD> – Identifies the protocol by its name. Specify the protocol name. eigrp – Selects EIGRP (Enhanced Interior Gateway Routing Protocol). The protocol number 88. gre – Selects GRE (Generic Routing Encapsulation). The protocol number is 47. igmp – Selects IGMP (Internet Group Management Protocol). The protocol number is 2. igp – Selects IGP (Interior Gateway Protocol). The protocol number is 9. ospf – Selects OSPF (Open Shortest Path First). The protocol number is 89. vrrp – Selects VRRP (Virtual Router Redundancy Protocol). The protocol number is 112.
{(<1-65535>\| <WORD>\| bgp\|dns\|ftp\|ftp-data\| gopher\|https\|ldap\| nntp\|ntp\|pop3\|proto\| sip\|smtp\|sourceport [<1-65535>\| <WORD>]\|ssh\|telnet\| tftp\|www)}	After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports. <1-65535> – Optional. Configures a destination port number from 1 - 65535 <WORD> – Optional. Identifies the destination port by the service name provided. For example, the SSH service uses TCP port 22. bgp – Optional. Configures the default BGP (Border Gateway Protocol) services port (179) dns – Optional. Configures the default DNS (Domain Name System) services port (53) ftp – Optional. Configures the default FTP (File Transfer Protocol) control services port (21) ftp-data – Optional. Configures the default FTP data services port (20) gopher – Optional. Configures the default gopher services port (70) https – Optional. Configures the default HTTPS services port (443) ldap – Optional. Configures the default LDAP (Lightweight Directory Access Protocol) services port (389) nntp – Optional. Configures the default NNTP (Newsgroup) services port (119) ntp – Optional. Configures the default NTP (Network Time Protocol) services port (123) POP3 – Optional. Configures the default POP3 (Post Office Protocol) services port (110) proto – Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip – Optional. Configures the default SIP (Session Initiation Protocol) services port (5060) smtp – Optional. Configures the default SMTP (Simple Mail Transfer Protocol) services port (25) sourceport [<1-65535>\|<WORD>] – Optional. After specifying the destination port, you may specify a single or range of source ports. <1-65535> – Specify the source port from 1 - 65535. <WORD> – Specify the source port range, for example 1-10. ssh – Optional. Configures the default SSH services port (22) telnet – Optional. Configures the default Telnet services port (23) tftp – Optional. Configures the default TFTP (Trivial File Transfer Protocol) services port (69) www – Optional. Configures the default HTTP services port (80)

alias number <NUMBER-ALIAS-NAME> <0-4294967295>


alias number <NUMBER-ALIAS-NAME> <0-4294967295>	Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, ‘alias number $NUMBER 100‘. In this example: The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100. <NUMBER-ALIAS-NAME> – Specify the number alias name. Note: Alias name should begin with ‘$‘. <0-4294967295> – Specify the number, from 0 - 4294967295, assigned to the number alias created.

alias string <STRING-ALIAS-NAME> <LINE>


alias string <STRING-ALIAS-NAME>	Creates a string alias identified by the <STRING-ALIAS-NAME> keyword <STRING-ALIAS-NAME> – Specify the string alias name. Note: Alias name should begin with ‘$‘. <LINE> – Specify the string value. String aliases map a name to an arbitrary string value. For example, ‘alias string $DOMAIN test.example_company.com‘. In this example, the string alias name is: $DOMAIN the string value it is mapped to is: test.example_company.com (a domain name). The value referenced by alias $DOMAIN, wherever used, is test.example_company.com. You can also use a string alias to configure the Bonjour Service instance name. Once configured, use the string alias in the Bonjour Gateway Discovery Policy context to specify the Bonjour service instance name to be used as the match criteria. For more information, see bonjour-gw-discovery-policy.

alias vlan <VLAN-ALIAS-NAME> <1-4094>


alias vlan <VLAN-ALIAS-NAME>	Creates a VLAN alias identified by the <VLAN-ALIAS-NAME> keyword <VLAN-ALIAS-NAME> – Specify the VLAN alias name. Note: Alias name should begin with ‘$‘.
<1-4094>	Maps the VLAN alias to a VLAN ID <1-4094> – Specify the VLAN ID from 1 - 4094.

Examples

nx9500-229D58(config)#alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13

nx9500-229D58(config)#alias network $TestNetworkAlias 192.168.13.0/24

nx9500-229D58(config)#alias host $TestHostAlias 192.168.13.100

nx9500-229D58(config)#alias vlan $TestVLANAlias 1

nx9500-229D58(config)#alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10

nx9500-229D58(config)#alias network-service $NetServAlias proto igmp

nx9500-229D58(config)#show running-config | include alias
alias network-group $NetGrAlias address-range 192.168.13.7 to 192.168.13.9 192.168.13.20 
to 192.168.13.25
alias network $NetworkAlias 192.168.13.0/24
alias host $HostAlias 192.168.13.10
alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10
alias network-service $NetServAlias proto igmp
alias vlan $VlanAlias 1
nx9500-229D58(config)#

nx9500-6C8809(config)#alias number $NUMBER 100

nx9500-6C8809(config)#show context include-factory | include alias
alias string $DOMAIN test.examplecompany.com
alias string $DOMAIN2 test.example_company.com
alias number $NUMBER 100
alias string $SN B4C7996C8809
nx9500-6C8809(config)#

The following examples show encrypted-string alias configuration:

nx9500-6C8809(config)#alias encrypted-string $WRITE 0 private

nx9500-6C8809(config)#alias encrypted-string $READ 0 public

nx9500-6C8809(config)#show context | include alias
alias vlan $BLR-01 1
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 0 public
alias encrypted-string $WRITE 0 private
nx9500-6C8809(config)#

The following example shows the encrypted-string aliases, configured in the previous example, used in the management-policy:

nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $WRITE rw

nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $READ ro

nx9500-6C8809(config-management-policy-default)#show context
management-policy default
 no telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all
 snmp-server community 0 $WRITE rw
 snmp-server community 0 $READ ro
 snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT
 snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
nx9500-6C8809(config-management-policy-default)#

The following example shows hashed-string alias configuration:

nx9500-6C8809(config)#alias hashed-string $PriMode Test12345

nx9500-6C8809(config)#show context | include alias
alias vlan $BLR-01 1
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 0 public
alias encrypted-string $WRITE 0 private
alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75
nx9500-6C8809(config)#

The following example shows the hashed-string alias, configured in the previous example, used in the management-policy:

nx9500-6C8809(config-management-policy-default)#show context
management-policy default
https server
 rest-server
 ssh
 user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all
 snmp-server community 0 $WRITE rw
 snmp-server community 0 $READ ro
 snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT
 snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
 privilege-mode-password $PriMode
nx9500-6C8809(config-management-policy-default)#

Related Commands


no	Removes an existing network, VLAN, service, or string alias