How do we create IPv4 and IPv6 service ACL’s and how do we verify its working?

Aruba Employee
Aruba Employee

Environment : This article applies to Aruba Mobility Controllers running ArubaOS version or higher


Service-ACL is a way to restrict the use of selected protocols and services from specific hosts and subnets ingress into the controller. Rules within this ACL will be applied to all traffic on the controller, regardless of the ingress port or VLAN

(Note: Rules within these ACL's also applies to traffic originating from wireless clients, that is encapsulated in a GRE tunnel between AP and controller)

Service-ACLs pre-defined in ArubaOS protects the control plane from an attack and ensures WLAN uptime. However these ACLs are not cutomizable and do not suit to every customer deployment. Inorder to tighten these ACLs based on customer's environment, Aruba has made enhancements in ArubaOS, so that customer may create rules in addition to the pre-defined list.

Below are the command line screenshots to create IPv4 and IPv6,  host and subnet based ACL's:

First, let see if there are any user defined service ACL's exists in this controller using the command:

#Show firewall-cp


There are no service ACL's present, therefore lets configure some of IPv4 and IPv6, host and subnet based service ACL's:


How to verify if the configured user defined service ACL's are blocking the ingress traffic:

For Eg:  ICMP and Telnet (port 23)  traffic from host is being denied and we can see in the below output:


Version history
Revision #:
1 of 1
Last update:
‎06-29-2014 06:31 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: