Network Management

 View Only
last person joined: 2 days ago 

Keep an informative eye on your network with IMC and AirWave network management solutions.
Expand all | Collapse all

Adding ACL to Camera on several switches

This thread has been viewed 16 times
  • 1.  Adding ACL to Camera on several switches

    Posted Jan 18, 2022 12:58 PM
    Hi Friends, 

    I need some advice on ACL, this could be basic networking problem :) 

    Now we have several security cameras across to several CX switches on our site. I was planning to apply ACL to SVI interface, but I read somewhere that if I apply ACL to VLAN SVI interface on core switch to only allow a certain IP traffic to get through, people will still be able to somehow reach the cameras if they are on the same switch, same VLAN. Is there a point to apply ACL to camera interface on Access switches as well? Or applying ACL to SVI interface will be good enough? 

    Thanks a lot,
    ML

    ------------------------------
    Mang Lai
    ------------------------------


  • 2.  RE: Adding ACL to Camera on several switches

    MVP GURU
    Posted Jan 19, 2022 02:56 AM
    Hi Mang, why you have Host and Security Cameras on the very same broadcast domain (VLAN)? segment them on different VLANs and segregate them with proper ACLs, at that point your idea of applying an ACL to the Security Cameras' VLAN will solve your issue.

    ------------------------------
    Davide Poletto
    ------------------------------



  • 3.  RE: Adding ACL to Camera on several switches

    Posted Jan 19, 2022 05:32 PM
    Hi David, 

    Thanks for the reply. Yes, Cameras are in a separated VLAN.

    I jus read somewhere someone saying port VLAN is more secure and meaningful considering attack could happen on the same switch if there is no ACL defined on edge switch.... I know traffic wont be routed successfully across different VLAN if they cannot be routed via VSI...

    So you think I should apply ACL to VLAN interface on core switch? OR Should I apply ACL on edge switches for the ports or local VLAN as well? 

    Thanks
    ML

    ------------------------------
    Becoming a Networking Engineer
    ------------------------------



  • 4.  RE: Adding ACL to Camera on several switches

    EMPLOYEE
    Posted Jan 19, 2022 10:13 AM
    Separating these devices on VLANs would be the traditional solution. With AOS-CX User Roles, you can apply a camera role to the camera's and employee role (for example) to employees, and define in there what traffic is allowed, and even combine that with segmented VLANs.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: Adding ACL to Camera on several switches

    Posted Jan 19, 2022 05:35 PM
    Any guide on this?

    We do have port authentication pointing to Clearpass server. I think it is secure enough. But some external security advisor suggested to apply ACL to cameras......This is reason why I am asking here...

    Thanks
    ML

    ------------------------------
    Becoming a Networking Engineer
    ------------------------------



  • 6.  RE: Adding ACL to Camera on several switches

    MVP GURU
    Posted Jan 20, 2022 04:34 AM
    Hi ML, yes...the ACL is a quite traditional approach...I don't know your scenario details so much to say if it is a too traditional approach or not (especially considering you already have the Aruba Clearpass operating in your environment...) but, from the PoV of the effort required, once you apply a properly configured ACL on the VLAN (VLAN ingress) on the Core - where that VLAN has its SVI - you're "almost" done.

    ------------------------------
    Davide Poletto
    ------------------------------