Domain-name ACL feature in IAP 4.0

Aruba Employee
Aruba Employee

Environment  :  Guest Users wants service access like Apple app Store & Android Market place etc..


Captive Portal Guest network providers want to allow access to services such as Apple App Store and Android Market Place

These services require HTTPS and do not have fixed public IP addresses, only domain names


·         Extend the domain-name ACL feature in AOS to support a distributed networking system such as instant
·         Each AP would intercept and cache the DNS requests and responses from client devices
·         During the ACL rule matching process, use the cached DNS-IP mapping to determine if a particular session should be permitted or denied.
·         We can support a max of 127 domains and 2048 IP address mappings of the 127 domains.
·         When the client roams, the mapping for that particular client is moved from its previously associated AP to its newly associated AP

WEBUI Configuration:





rtaImage 1.png



CLI Configuration:-

•      [no]rule alias ”domain” match proto <proto> <port> permit/deny/dst-nat/src-nat

d8:c7:c8:c0:85:0c# show acl domains
-----------  ------   used(1)

d8:c7:c8:c0:85:0c# show datapath acl 138
Datapath ACL 138 Entries
Flags: P - permit, L - log, E - established, M/e - MAC/
etype filter
       S - SNAT, D - DNAT, R - redirect, r - reverse redirect m – Mirror
       I - Invert SA,
i - Invert DA, H - high prio, O - set prio, C - Classify Media
       A - Disable Scanning, B - black list, T - set TOS, 4 - IPv4, 6 - IPv6

       d - Domain DA
 1:  any 
any  17 0-65535 8209-8211  P4 
 2:  any  any  P
 3:  any 
any  any  P4

d8:c7:c8:c0:85:0c# show datapath dns-id-map
Hash index entries:
id:1 entry:0

Entry:0 id:1
6 entries

Version history
Revision #:
1 of 1
Last update:
‎07-04-2014 11:18 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: