Controller Based WLANs

How do we create IPv4 and IPv6 service ACL’s and how do we verify its working?

by on ‎06-29-2014 06:31 PM

Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 6.3.0.0 or higher

 

Service-ACL is a way to restrict the use of selected protocols and services from specific hosts and subnets ingress into the controller. Rules within this ACL will be applied to all traffic on the controller, regardless of the ingress port or VLAN

(Note: Rules within these ACL's also applies to traffic originating from wireless clients, that is encapsulated in a GRE tunnel between AP and controller)

Service-ACLs pre-defined in ArubaOS protects the control plane from an attack and ensures WLAN uptime. However these ACLs are not cutomizable and do not suit to every customer deployment. Inorder to tighten these ACLs based on customer's environment, Aruba has made enhancements in ArubaOS 6.3.0.0, so that customer may create rules in addition to the pre-defined list.

Below are the command line screenshots to create IPv4 and IPv6,  host and subnet based ACL's:


First, let see if there are any user defined service ACL's exists in this controller using the command:

#Show firewall-cp

rtaImage.jpg



There are no service ACL's present, therefore lets configure some of IPv4 and IPv6, host and subnet based service ACL's:


rtaImage.jpg



How to verify if the configured user defined service ACL's are blocking the ingress traffic:


For Eg:  ICMP and Telnet (port 23)  traffic from host 192.168.20.10 is being denied and we can see in the below output:


rtaImage.jpg
 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.