Skip to content

Classification Rules

Define classification rules to restrict lab access to the defined set of endpoints and associate with Gold Master or reservations.

Once classification rules are defined and configured on Gold Master or reservations, the reservations will only be accessible from the endpoints belonging to the allowed classified groups.

Following types of parameters can be used to define a classification rules:

  • LAN IP (Applicable for HyWorks Clients only)

  • MAC Address (Applicable for HyWorks Clients only)

  • WAN IP (Applicable for HyLite and HyWorks Clients)

Flow to define and use classification rules restrictions:

  • Import Classification Rules CSV file or add from Classification rules screen

  • Configure gold master access for the selected classification rules: To restrict all the reservations from the gold master

  • Configure reservations with classification rules: To restrict the reservation access of the selected classified endpoints that satisfy classification rules.

Import Classification Rules CSV

In existing HyLabs – CSV Configurations, option to import Classification Rules CSV has been added. Rest of the configurations e.g., CSV Format, CSV Location details will remain same.

  • Parameters can be used to define a Classification Rule:

    • LAN IP (Applicable for HyWorks Clients only)

    • MAC Address (Applicable for HyWorks Clients only)

    • WAN IP (Applicable for HyLite and HyWorks Clients)

  • A single Classification rule can have one or multiple types of parameters

  • Sample CSV entries:

Classification Rule Name Para-Type Add/Delete Para-Value Realmname
CG_LAB-AE-MAC M A aa-bb-cc-dd-ee-11
CG_LAB-AE-MAC M A aa:bb:cc:dd:ee:12
CG_LAB-AE-MAC M A aa:bb:cc:dd:ee:13
CG_LAB-BE-LAN L A 172.16.0.16
CG_LAB-BE-LAN L A 172.16.0.0/24
CG_LAB-BE-LAN L A 172.16.1.2-172.16.1.127
CG_LAB-BE-WAN W A 192.168.0.0/16
CG_LAB-BE-WAN W A 123.201.54.132
CG_LAB-BE-WAN W A 123.201.54.133
CG_LAB-BE-WAN W A 123.201.54.134
CG_LAB-CSE-MIX L A 172.17.0.1-172.17.0.254
CG_LAB-CSE-MIX L A 192.168.0.10
CG_LAB-CSE-MIX M A aa:bb:cc:dd:xy:13
CG_LAB-CSE-MIX M A aa:bb:cc:dd:xy:14

So now there will be four Classification rule definitions:

  1. CG_LAB-AE-MAC: aa-bb-cc-dd-ee-11 aa:bb:cc:dd:ee:12 aa:bb:cc:dd:ee:13

  2. CG_LAB-BE-LAN: 172.16.0.16 172.16.0.0/24 172.16.1.2-172.16.1.127

  3. CG_LAB-BE-WAN: 192.168.0.0/16 123.201.54.132 123.201.54.133 123.201.54.134

  4. CG_LAB-CSE-MIX: (172.17.0.1-172.17.0.254 192.168.0.10) aa:bb:cc:dd:xy:13 aa:bb:cc:dd:xy:14

CSV Import Wizard

Following options are available in CSV import wizard in HyLabs. To enable Classification Rule import, option should be checked in CSV Import Profile and appropriate file should be placed at defined location of CSVs. Please see more details about CSV import in section CSV Configurations

Classification Rules Examples

Consider the above Classification Rules are associated with different reservations as described below:

  1. RES#1 - CG_LAB-AE-MAC

  2. RES#2 - CG_LAB-BE-LAN

  3. RES#3 - CG_LAB-BE-WAN

  4. RES#4 - CG_LAB-CSE-MIX

  5. RES#5 – CG_LAB-AE-MAC, CG_LAB-BE-LAN

    • RES#1: Users logging in from the device with MAC addresses defined for Classification Rule “CG_LAB-AE-MAC” will have access whereas any user logging in from HyLite or other devices will not be able to access

    • RES#4: will only be accessible from clients where the MAC address is either aa:bb:cc:dd:xy:14 or aa:bb:cc:dd:xy:13 and having the IP as 172.17.0.1-172.17.0.254 or 192.168.0.10

      • With multiple types of parameters defined in single classification rule, access will be given only of both conditions are satisfied.

    • RES#5: Will be accessible from clients having MAC addresses defined in CG_LAB-AE-MAC or clients having IP defined in CG_LAB-BE-LAN

      • If a reservation is having multiple classification rules, then member of any classification rule will be able to access the reservations.

Configure Gold Master access for the selected Classification Rules

Once Classification Rules are imported, the next action is to assign the Classification Rule to Gold Master.

  • By default, gold master VMs and reservations will be unrestricted

  • Administrator or Incharge can modify access policy configurations at the time of adding/editing Gold Master or reservation

  • One or multiple classification rules can be added to Gold Masters

  • Gold Master access policy configurations will have higher precedence and thus once restricted to specific classification rule; all the reservations made from this gold master will also inherit the access policy. E.g., if a Gold Master VM access is restricted by Classified ClassRule#1 and Classified ClassRule#2, then reservations made from this Gold Master will be by default restricted to Classified ClassRule#1 and Classified ClassRule#2, however admin can modify the reservations to restrict them further to more limited endpoints by removing allowed classification rules.

    • New Classification Rules additions will not be allowed for reservations, having restrictions at the Gold Master level

  • While modifying the access policies at Gold Master level, warning will be displayed with the affected reservation lists and thus administrator should be able to check and update the reservations accordingly.

  • Access policies defined on Gold Master will also be applicable for self-study and course self-study reservations created from it.

Configure Reservations with Classification Rules

Two types of access policies can be defined for reservations:

  1. Inherit from Gold Master

    1. If Gold master is configured with unrestricted access, reservations inheriting access policies from the Gold Master will also have unrestricted access

    2. If Gold master is configured with restricted access, reservation inheriting access policies from the Gold Master will have restricted access only from endpoints as per classification rules.

  2. Use specified access policy

    1. For reservation from unrestricted the gold master, specifying the classification rules will only affect the current reservations and addition of any classification rules will be allowed.

    2. For reservations where the gold master is restricted, specifying classification rules will be limited to classification rules which are given access at gold master level. Classification rules can be reduced from such reservations but cannot be added.

Permissions to modify Access Policy Configurations

  1. All the users who have access to modify Gold Master configurations will be able to modify the access policies.

  2. All the users who have access to modify reservations will be able to modify the access policies of the reservations.

User Experience of Restricted Reservations

  1. Access from HyLite to restricted reservations will be shown as disabled

  2. Reservations will not be shown on client application tray if reservation is not available or not having access due to access policies

Known Behavior with Classification Rules Feature

  1. Access from HyLite will only use the WAN based classification rules and thus if any reservation must be restricted to be accessed from HyLite, specific rule with WAN IPs must be specified.

  2. While connecting from HyWorks Clients WAN IP rules can also be used as LAN IPs.

  3. If a user logs-in from network# A which is allowed and then moves to network# B (restricted network) and then connects to assigned reserved VMs, it will not be blocked. As currently HyLabs is validating access policies at the time of login only.