alias

Configures the following types of aliases: network, VLAN, host, string, network-service, etc. Aliases are objects having a unique name and content that is determined by the alias type (for example, network, VLAN, network-service, etc.).

A typical, large enterprise network, consists of multiple sites (RF Domains) having similar configuration parameters with few elements that vary, such as networks or network ranges, hosts having different IP addresses, and VLAN IDs or URLs. These elements can be defined as aliases (object oriented wireless firewalls) and used across sites by applying overrides to the object definition. Using aliases results in a configuration that is easier to understand and maintain.

Multiple instances of an alias (same type and same name) can be defined at any of the following levels: global, RF Domain, profile, or device. An alias defined globally functions as a top-level-object (TLO). Global aliases are not mandatory, and can be defined at the domain-level, or profile, or device-level only. An alias defined on a device is applicable to that device only. An alias defined on a profile applies to every device using the profile. Similarly, aliases defined at the RF Domain level apply to all devices within that domain.

Aliases defined at any given level can be overridden at any of the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.

The different aliases types supported are:

Note

Note

When used with ACLs, network, network-group, and network-service aliases act as enhanced firewalls.

Supported on the following devices:

Syntax

alias [address-range|encrypted-string|hashed-string|host|network|network-group|
network-service|number|string|vlan]
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> 
{<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> 
{<NETWORK-ADDRESS/MASK>}]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|
igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|
smtp|sourceport|ssh|telnet|tftp|www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>

Parameters

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
address-range <ADRESS-RANGE-ALIAS-NAME> Creates an address range alias, defining a range of IP addresses
  • <ADRESS-RANGE-ALIAS-NAME> – Specify the address range alias name.
Note: Alias name should begin with ‘$‘.
<STARTING-IP> to <ENDING-IP> Associates a range of IP addresses with this address range alias
  • <STARTING-IP> – Specify the first IP address in the range.
    • to <ENDING-IP> – Specify the last IP address in the range.
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server (management policy config mode).
  • <ENCRYPTED-STRING-ALIAS-NAME> – Specify the encrypted-string alias name.
Note: Alias name should begin with ‘$‘.
[0|2] <LINE> Configures the value associated with the alias name specified in the previous step
  • [0|2] <LINE> – Configures the alias value
    Note: If password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:
    nx9500-6C8809(config)#show running-config
    !...............................
    alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//
    !
    --More--
    nx9500-6C8809

    In the above show > running-config output, the ‘2‘ displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text.

    However, if password-encryption is disabled the clear text is displayed as is:

    nx9500-6C8809(config)#show running-config
    !...............................
    !
    alias encrypted-string $enString 0 test11223344
    !
    --More--
    nx9500-6C8809

    For more information on enabling password-encryption, see password-encryption.

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
hashed-string <HASHED-STRING-ALIAS-NAME> Creates an alias for a hashed string. Use this alias for configuration values that are hashed strings, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-password.
  • <HASHED-STRING-ALIAS-NAME> – Specify the hashed-string alias name.
Note: Alias name should begin with ‘$‘.
<LINE> Configures the hashed-string value associated with this alias.
nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv
!
alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75
0
--More--
nx9500-6C8809

In the above show > running-config output, the ‘1‘ displayed before the hashed-string alias value indicates that the displayed text is hashed and not clear text.

alias host <HOST-ALIAS-NAME> <HOST-IP>
host <HOST-ALIAS-NAME> Creates a host alias, defining a single network host
  • <HOST-ALIAS-NAME> – Specify the host alias name.
Note: Alias name should begin with ‘$‘.
<HOST-IP> Associates the network host‘s IP address with this host alias. For example, ‘alias host $HOST 1.1.1.100‘. In this example, the host alias name is: $HOST and the host IP address it is mapped to is: 1.1.1.100.
  • <HOST-IP> – Specify the network host‘s IP address.
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
network <NETWORK-ALIAS-NAME> Creates a network alias, defining a single network address
  • <NETWORK-ALIAS-NAME> – Specify the network alias name.
Note: Alias name should begin with ‘$‘.
<NETWORK-ADDRESS/MASK> Associates a single network with this network alias. For example, 'alias network $NET 1.1.1.0/24‘. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24.
  • <NETWORK-ADDRESS/MASK> – Specify the network‘s address and mask.
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to <ENDING-IP> 
{<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network <NETWORK-ADDRESS/MASK> 
{<NETWORK-ADDRESS/MASK>}]
network <NETWORK-GROUP-ALIAS-NAME> Creates a network-group alias
  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name.
Note: Alias name should begin with ‘$‘.

The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-group alias elements at the device or profile level.

After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses.

address-range <STARTING-IP> to <ENDING-IP> {<STARTING-IP> to <ENDING-IP>} Associates a range of IP addresses with this network-group alias
  • <STARTING-IP> – Specify the first IP address in the range.
    • to <ENDING-IP> – Specify the last IP address in the range.
      • <STARTING-IP> to <ENDING-IP> – Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured.
host <HOST-IP> {<HOST-IP>} Associates a single or multiple hosts with this network-group alias
  • <HOST-IP> – Specify the hosts‘ IP address.
    • <HOST-IP> – Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured.
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>} Associates a single or multiple networks with this network-group alias
  • <NETWORK-ADDRESS/MASK> – Specify the network‘s address and mask.
    • <NETWORK-ADDRESS/MASK> – Optional. Specifies more than one network. A maximum of eight (8) networks can be configured.
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|gre|igmp|
igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|proto|sip|
smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|www)}
alias network-service <NETWORK-SERVICE-ALIAS-NAME> Configures an alias that specifies available network services and the corresponding source and destination software ports
  • <NETWORK-SERVICE-ALIAS-NAME> – Specify a network-service alias name.
Note: Alias name should begin with ‘$‘.

Network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-service alias elements at the device or profile level.

proto [<0-254>| <WORD>|eigrp|gre| igmp|igp|ospf|vrrp] Use one of the following options to associate an Internet protocol with this network-service alias:
  • <0-254> – Identifies the protocol by its number. Specify the protocol number from 0 - 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocol (UDP) designated number is 17.
  • <WORD> – Identifies the protocol by its name. Specify the protocol name.
  • eigrp – Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88.
  • gre – Selects GRE (Generic Routing Encapsulation). The protocol number is 47.
  • igmp – Selects Internet Group Management Protocol (IGMP). The protocol number is 2.
  • igp – Selects Interior Gateway Protocol (IGP). The protocol number is 9.
  • ospf – Selects Open Shortest Path First (OSPF). The protocol number is 89.
  • vrrp – Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112.
{(<1-65535>| <WORD>| bgp|dns|ftp|ftp-data| gopher|https|ldap| nntp|ntp|pop3|proto| sip|smtp|sourceport [<1-65535>| <WORD>]|ssh|telnet| tftp|www)} After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.
  • <1-65535> – Optional. Configures a destination port number from 1 - 65535
  • <WORD> – Optional. Identifies the destination port by the service name provided. For example, the SSH service uses TCP port 22.
  • bgp – Optional. Configures the default Border Gateway Protocol (BGP) services port (179)
  • dns – Optional. Configures the default Domain Name System (DNS) services port (53)
  • ftp – Optional. Configures the default File Transfer Protocol (FTP) control services port (21)
  • ftp-data – Optional. Configures the default FTP data services port (20)
  • gopher – Optional. Configures the default gopher services port (70)
  • https – Optional. Configures the default HTTPS services port (443)
  • ldap – Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389)
  • nntp – Optional. Configures the default Newsgroup (NNTP) services port (119)
  • ntp – Optional. Configures the default Network Time Protocol (NTP) services port (123)
  • POP3 – Optional. Configures the default Post Office Protocol (POP3) services port (110)
  • proto – Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step.
  • sip – Optional. Configures the default Session Initiation Protocol (SIP) services port (5060)
  • smtp – Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25)
  • sourceport [<1-65535>|<WORD>] – Optional. After specifying the destination port, you may specify a single or range of source ports.
  • <1-65535> – Specify the source port from 1 - 65535.
  • <WORD> – Specify the source port range, for example 1-10.
  • ssh – Optional. Configures the default SSH services port (22)
  • telnet – Optional. Configures the default Telnet services port (23)
  • tftp – Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69)
  • www – Optional. Configures the default HTTP services port (80)
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias number <NUMBER-ALIAS-NAME> <0-4294967295> Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, ‘alias number $NUMBER 100‘. In this example:
  • The number alias name is: $NUMBER
  • The value assigned is: 100
The value referenced by alias $NUMBER, wherever used, is 100.
  • <NUMBER-ALIAS-NAME> – Specify the number alias name.
    Note: Alias name should begin with ‘$‘.
    • <0-4294967295> – Specify the number, from 0 - 4294967295, assigned to the number alias created.
alias string <STRING-ALIAS-NAME> <LINE>
alias string <STRING-ALIAS-NAME> Creates a string alias identified by the <STRING-ALIAS-NAME> keyword
  • <STRING-ALIAS-NAME> – Specify the string alias name.
    Note: Alias name should begin with ‘$‘.
    • <LINE> – Specify the string value.
String aliases map a name to an arbitrary string value. For example, ‘alias string $DOMAIN test.example_company.com‘. In this example,
  • the string alias name is: $DOMAIN
  • the string value it is mapped to is: test.example_company.com (a domain name).

The value referenced by alias $DOMAIN, wherever used, is test.example_company.com.

You can also use a string alias to configure the Bonjour Service instance name. Once configured, use the string alias in the Bonjour Gateway Discovery Policy context to specify the Bonjour service instance name to be used as the match criteria. For more information, see bonjour-gw-discovery-policy.

alias vlan <VLAN-ALIAS-NAME> <1-4094>
alias vlan <VLAN-ALIAS-NAME> Creates a VLAN alias identified by the <VLAN-ALIAS-NAME> keyword
  • <VLAN-ALIAS-NAME> – Specify the VLAN alias name.
Note: Alias name should begin with ‘$‘.
<1-4094> Maps the VLAN alias to a VLAN ID
  • <1-4094> – Specify the VLAN ID from 1 - 4094.

Examples

nx9500-229D58(config)#alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13
nx9500-229D58(config)#alias network $TestNetworkAlias 192.168.13.0/24
nx9500-229D58(config)#alias host $TestHostAlias 192.168.13.100
nx9500-229D58(config)#alias vlan $TestVLANAlias 1
nx9500-229D58(config)#alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10
nx9500-229D58(config)#alias network-service $NetServAlias proto igmp
nx9500-229D58(config)#show running-config | include alias
alias network-group $NetGrAlias address-range 192.168.13.7 to 192.168.13.9 192.168.13.20 
to 192.168.13.25
alias network $NetworkAlias 192.168.13.0/24
alias host $HostAlias 192.168.13.10
alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10
alias network-service $NetServAlias proto igmp
alias vlan $VlanAlias 1
nx9500-229D58(config)#
nx9500-6C8809(config)#alias number $NUMBER 100
nx9500-6C8809(config)#show context include-factory | include alias
alias string $DOMAIN test.examplecompany.com
alias string $DOMAIN2 test.example_company.com
alias number $NUMBER 100
alias string $SN B4C7996C8809
nx9500-6C8809(config)#

The following examples show encrypted-string alias configuration:

nx9500-6C8809(config)#alias encrypted-string $WRITE 0 private
nx9500-6C8809(config)#alias encrypted-string $READ 0 public
nx9500-6C8809(config)#show context | include alias
alias vlan $BLR-01 1
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 0 public
alias encrypted-string $WRITE 0 private
nx9500-6C8809(config)#

The following example shows the encrypted-string aliases, configured in the previous example, used in the management-policy:

nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $WRITE rw
nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $READ ro
nx9500-6C8809(config-management-policy-default)#show context
management-policy default
 no telnet
 no http server
 https server
 rest-server
 ssh
 user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all
 snmp-server community 0 $WRITE rw
 snmp-server community 0 $READ ro
 snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT
 snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
nx9500-6C8809(config-management-policy-default)#

The following example shows hashed-string alias configuration:

nx9500-6C8809(config)#alias hashed-string $PriMode Test12345
nx9500-6C8809(config)#show context | include alias
alias vlan $BLR-01 1
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
alias encrypted-string $READ 0 public
alias encrypted-string $WRITE 0 private
alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75
nx9500-6C8809(config)#

The following example shows the hashed-string alias, configured in the previous example, used in the management-policy:

nx9500-6C8809(config-management-policy-default)#show context
management-policy default
https server
 rest-server
 ssh
 user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all
 snmp-server community 0 $WRITE rw
 snmp-server community 0 $READ ro
 snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/QAAAAjWNKa4KXF95pruUCSnhOiT
 snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/QAAAAgc0l8ahJYo3AjHo9wXzYGo
 t5 snmp-server community public ro 192.168.0.1
 t5 snmp-server community private rw 192.168.0.1
 privilege-mode-password $PriMode
nx9500-6C8809(config-management-policy-default)#

Related Commands

no Removes an existing network, VLAN, service, or string alias