Controller Based WLANs

Does the ACL on a wired port require the port to be untrusted?

Aruba Employee

Can we put ACL on a wired port?
Will that ACL work if the port is trusted?
Will the user-traffic fall in a role?

 

Environment : This Article applies to all Aruba controllers and coder versions.

 

Aruba controllers uses stateful firewall. ACLs are applied to roles into which the user falls.

A user falls into a role in these situations:



  • A wireless user connects and falls into pre-auth or post auth-role as per the aaa profile mapped to that virtual AP.
  • A wired user falls into a pre-auth or post auth-role as per the aaa wired profile.


For these users, you can define the access levels in the roles based upon the ACLs. However if a user connects to a wired port that is trusted, you cannot limit his access based upon roles. You must apply the ACLs to the wired interface.

Example
To allow only a few clients to get web and SSH access to the controller from the trusted wired ports, follow these steps:



  1. Make a list of the IPs that are allowed to access the controller.

    # configure terminal

    # netdestination allowed-access


    # host 10.1.1.243

    # host 10.1.1.167


     
  2. Create an alias that includes all the VLAN IP addresses that are configured on the controller.

    # netdestination vlan-addresses

    # host 1.1.1.1


    # host 2.2.2.2

     
  3. Create ACLs with a permit statement in the end.

    # ip access-list session limit-management-access
    # alias allowed-access alias vlan-addresses svc-https permit
    # alias allowed-access alias vlan-addresses svc-ssh permit
    # any vlan-addresses svc-https deny
    # any vlan-addresses svc-ssh deny
    # any any any permit
    # end
    # write memory


     
  4. Apply this ACL on all trusted wired ports on the controller.

    # configure terminal
    # interface gigabitethernet 1/0
    # ip access-group limit-management-access session
    # end
    # write memory


    This ACL prevents management access to the controller from unauthorized access.

Thus to summarize:

1. We can put an ACL on any wired port on Aruba controller.
2. The port need not be trusted for the ACL to take effect.
3. The user will not fall in a role and the traffic will be dropped as defined by ACL.
3. If the port is untrusted and there is an ACL applied on the interface, the traffic denied by the ACL will NOT hit the session acl as per defined by the role in "aaa authentication wired".

Version history
Revision #:
1 of 1
Last update:
‎06-29-2014 10:33 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.