Campus Switching and Routing

Reply
New Contributor
Posts: 4
Registered: ‎06-20-2014

With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

I have 2 vlans - employee & guest.  I want to block guest from employee vlan but allow internet access.

 

With Cisco I would have done

 

ip access-list extended BlockGuest
 deny   ip 10.30.54.0 0.0.0.255 10.30.50.0 0.0.0.255
 permit ip any any

 

interface Vlan54
 description Guest
 ip address 10.30.54.1 255.255.255.0
 ip access-group BlockGuest in

 

Can someone point me in right direction to the Aruba equivalant?

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

In the Aruba world you would create firewall policies and tie them to a user role.

Take a look at the access control section under the Configuration tan.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

You create an ACL similar to the one create in Cisco and then apply it under the guest user-role
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
New Contributor
Posts: 4
Registered: ‎06-20-2014

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

Guest user-role - Is that assuming that the pc that is plugged into a port, then has to authenticate before allowing access?

 

So you have to use the Captive Portal?

 

Do you have to use authentication or can you take that off?

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

Sorry, are we talking an Aruba MAS or wireless controller?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎06-20-2014

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

MAS.

 

Although most likely it will only be APs accessing Guest, but they don't want Guest to authenticate. 

 

Would the Aruba APs be able to restrict the access?

 

Reading RN for 7.3 and it talks about

 

Router ACLs (RACLs)
Router ACLs perform access control on all traffic entering the specified Routed VLAN Interface. Roter ACLs provide
access control based on the Layer 3 addresses or Layer 4 port information and ranges. RACLs can only be applied
to ingress traffic.

 

Would that not be the same as Cisco VACLs - would have been nice to see example in user guide

 

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

Are these wired ports only going to serve guest users or will you want an authenticated user to be able to use them too?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎06-20-2014

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

Some ports would be Employees.

 

Some would be trunk ports to AP - both vlans - none of the ports should make you authenticate.

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

In that case, yes, you would configure an ACL on the VLAN interface. The commands are almost identical to Cisco.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: