What is the function of service ACL in 6.3? (or) How do I block selected protocols and services ingress into controller, regardless of ingress port or vlan?

Aruba Employee
Aruba Employee

Environment : This article applies to Aruba Mobility Controllers running ArubaOS version or higher.


Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. ArubaOS provides the following types of ACLs:
  • Standard ACLs
  • Extended ACLs
  • MAC ACLs
  • Ethertype ACLs
  • Service ACLs
Service-ACL is a way to restrict the use of selected protocols and services from specific hosts and subnets to the controller. Rules within this ACL will be applied to all traffic on the controller, regardless of the ingress port or VLAN.

(Note: Rules within these ACL's also applies to traffic originating from wireless clients, that is encapsulated in a GRE tunnel between AP and controller)

Service-ACLs pre-defined in ArubaOS protects the control plane from an attack and ensures WLAN uptime. However these ACLs are not cutomizable and do not suit to every customer deployment. Inorder to tighten these ACLs based on customer's environment, Aruba has made enhancements in ArubaOS, so that customer may create rules in addition to the pre-defined list.

With the ArubaOS release, the Control Plane Firewall supports below features:
  • Supports IPv4 and IPv6
  • Extends existing cp-firewall functionality with IPv4 and IPv6 source address fields
  • Firewall-cp rules will be applied to all traffic on the controller regardless of the ingress port or VLAN.
  • The rule set applies to all configured interfaces no the controller.
  • Rules will apply to interfaces that are configured via DHCP even if their IP address changes after boot time.
  • Users may create rules in addition to the predefined list, using CLI or GUI.
  • User-defined rules will take precedence over the predefined list.

Care should be taken not to define rules that degrade network capability by restricting traffic on ports, essential for basic operations. Some commonly used services are listed as below:

File Transfer Protocol
Hypertext Transfer Protocol
Secure HTTP
Internet Control Message Protocol
Simple Network Management Protocol
Secure Shell
Telnet Protocol
Trivial File Transfer Protocol

Below are the commands to look for control plane firewall rules:

For predefined control plane firewall rules:  "show firewall-cp intenal"


For user defined control plane firewall rules:  "show firewall-cp"


NOTE: Customers with existing user-defined rules for cp firewall will need to either edit their configuration to adhere to the new cp firewall syntax or need to recreate their entries via CLI or GUI.


Version history
Revision #:
1 of 1
Last update:
‎06-29-2014 06:34 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: