Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Configuring Network Service ACLs
To configure access rules for network services, complete the following steps:
- In the WebUI, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed. - Under , click > .
A list of APs is displayed in the view. - Click the icon.
The tabs to configure the APs are displayed. - Click , and click the tab.
The Security details page is displayed. - Click the accordion.
- Under , click to add a new rule.
The window is displayed. - Under , select .
- To configure access to applications or application categories, select a service category from the following list:
- Based on the selected service category, configure the following parameters:
Table 1: Access Rule Configuration Parameters
Data Pane Item
Description
Select a rule type from the list, for example .
Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement:
—Access is allowed or denied to all services.
—Available options are TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID.
If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access.
Select any of following attributes:
Select to allow access users based on the access rule.
Select to deny access to users based on the access rule.
Select to allow the changes to destination IP address.
Select to allow changes to the source IP address.
Select a destination option. You can allow or deny access to any the following destinations based on your requirements.
—Access is allowed or denied to all destinations.
—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the text box.
—Traffic to the specified AP is allowed. After selecting this option, specify the domain name in the text box.
—Traffic to the specified AP network is allowed. After selecting this option, specify the domain name in the text box.
—Traffic to the specified master AP or virtual controller is allowed. After selecting this option, specify the domain name in the text box.
Select to create a log entry when this rule is triggered. The HPE Aruba Networking Central firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. supports firewall based logging. Firewall logs on the APs are generated as security logs.
Select to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as on the tab of the window.
Select to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. traffic and the traffic is marked as follows:
Video: Priority 5 (Critical)
Voice: Priority 6 (Internetwork Control)
Select to disable ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.
The selection of the applies only if ARM scanning is enabled.
Select to specify a DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63.
Select to specify an 802.1 priority. Specify a value between 0 and 7.
Select this check box to allow a specific user to access the network for a specific time range. You can select the time range profile from the drop-down list that appears when the check box is selected.
- Click .
