How do we create IPv4 and IPv6 service ACL’s and how do we verify its working?
Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 188.8.131.52 or higher
Service-ACL is a way to restrict the use of selected protocols and services from specific hosts and subnets ingress into the controller. Rules within this ACL will be applied to all traffic on the controller, regardless of the ingress port or VLAN
(Note: Rules within these ACL's also applies to traffic originating from wireless clients, that is encapsulated in a GRE tunnel between AP and controller)
Service-ACLs pre-defined in ArubaOS protects the control plane from an attack and ensures WLAN uptime. However these ACLs are not cutomizable and do not suit to every customer deployment. Inorder to tighten these ACLs based on customer's environment, Aruba has made enhancements in ArubaOS 184.108.40.206, so that customer may create rules in addition to the pre-defined list.
Below are the command line screenshots to create IPv4 and IPv6, host and subnet based ACL's:
First, let see if there are any user defined service ACL's exists in this controller using the command:
There are no service ACL's present, therefore lets configure some of IPv4 and IPv6, host and subnet based service ACL's:
How to verify if the configured user defined service ACL's are blocking the ingress traffic:
For Eg: ICMP and Telnet (port 23) traffic from host 192.168.20.10 is being denied and we can see in the below output: