Wired Intelligent Edge

last person joined: 9 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

Need to create an Access-List for a specific VLAN

This thread has been viewed 23 times
  • 1.  Need to create an Access-List for a specific VLAN

    Posted Aug 16, 2021 11:20 AM

    I am trying to think of a way to create a way of applying an Access-list that would be standard across multiple locations.

    ***************************************************************************

    VLAN25 is standard on many of my network switches.

    VLAN 25 is always on the 172.20.0.0/16 subnet.

    We have at least 50 locations with VLAN 25.

    Each office location has a Class "C" out of the 172.20.0.0/16 subnet.

    Hosts on VLAN 25 normally replicate data to the data centers and it can flood out bandwidth.

    My manager asked if I could limit traffic ffrom VLAN 25 to 20% of total traffic from 8AM to 5 PM AND he wanted to be able to apply the same ACL on all routers.

    OK, that was easy,,I added this ACL & "matched" it on a policy map configured on the router at each office.l

    Iip access-list extended FTR-Limit
    permit ip 172.20.0.0 0.0.255.255 any time-range FTR
    permit ip any 172.20.0.0 0.0.255.255 time-range FTR

    The good part of this ACL is that it is standard on each router.

    The bad part is that any host VLAN 25 (say 172.20.2.0/24) will use unlimited bandwidth when it transfers files to 172.20.3.0/24.
    *********************************

    Is there some kind of policy-map ability on the Aruba 2930 switch ?

    I want to limit traffic from the Class C  Subnet  on each switch where I have VLAN 25 configured.

    permit ip VLAN25 any time-range FTR
    permit ip any  time-range FTR



    ------------------------------
    tom gilmore
    ------------------------------


  • 2.  RE: Need to create an Access-List for a specific VLAN

    Posted Aug 17, 2021 05:16 AM


    ------------------------------
    Laurent from Brest / France
    Network Engineer
    ------------------------------



  • 3.  RE: Need to create an Access-List for a specific VLAN

    Posted Aug 17, 2021 02:46 PM

    That is a fantastic option & I plan to work with it.

    My current access list is time based.

    Rate limiting only occurs between 8 AM & 5 PM.
    I very much appreciate this answer,, but do you know of any way I can apply a rate limit to the VLAN and have the rate limiting be time-based ?



    ------------------------------
    tom gilmore
    ------------------------------



  • 4.  RE: Need to create an Access-List for a specific VLAN

    Posted Aug 18, 2021 07:50 AM
    You might have to do some funky scripting to achieve the time-based acl if its not supported in aos.


  • 5.  RE: Need to create an Access-List for a specific VLAN

    Posted Aug 19, 2021 06:13 AM
    Since 10.08 there is a job scheduler, thread here .

    Other solution is to use the switch API to add/remove the config at the time you want.

    ------------------------------
    Laurent from Brest / France
    Network Engineer
    ------------------------------



  • 6.  RE: Need to create an Access-List for a specific VLAN

    Posted Aug 22, 2021 09:21 AM
    https://www.arubanetworks.com/techdocs/AOS-CX/10.08/PDF/job_scheduler.pdf

    You can script what you want :)
    job acl1
    .... 
    schedul daily
    ...

    ------------------------------
    Laurent from Brest / France
    Network Engineer
    ------------------------------