Wired Intelligent Edge (Campus Switching and Routing)

Reply
Highlighted

AOS-CX (8320) ACL testing simulation ???

Re:  AOS-CX (8320) ACL < security testing simulation ??

 

Are there any good tools and/or websites that can simulate the accurate testing of aos-cx vlan access lists?

 

The currnt aos-cx logging feature only works with "DENY" and is limiting. I need to make sure traffic is allowed and denied in a manner that improves our security and does not create an unintentional seurity whole and expedites ACL strengths/wealnesses answers.

 

Any and all suggestions are appreciated.


../smb/air

Accepted Solutions
Highlighted
MVP Guru

Re: AOS-CX (8320) ACL testing simulation ???

Few things:

- Spirent or IXIA testing could provide proof that ACL filters are line-rate and enforcing security as defined in the ACL

- use count on permit sequence to have some visibility on permitted flows

- sFlow could be also an option to monitored flow stats.

 

 

View solution in original post


All Replies
Highlighted
MVP Guru

Re: AOS-CX (8320) ACL testing simulation ???

Few things:

- Spirent or IXIA testing could provide proof that ACL filters are line-rate and enforcing security as defined in the ACL

- use count on permit sequence to have some visibility on permitted flows

- sFlow could be also an option to monitored flow stats.

 

 

View solution in original post

Highlighted

Re: AOS-CX (8320) ACL testing simulation ???


@vincent wrote:

"Few things:

- Spirent or IXIA testing could provide proof that ACL filters are line-rate and enforcing security as defined in the ACL

- use count on permit sequence to have some visibility on permitted flows..."

 

 


FROM: aoscx-noob >>>

The following is my wish list that I have submitted to our HPE rep:

 

The current aos-cx ACL  LOG and/or COUNT is insufficient and inaccurate.  Adding a single ACE may break the ACL without potentially hours of customer testing to prove ACL changes.

 

We need a better way to trace packets as they traverse the ACLs.

 

Suggestion (online customer tool and security procedures):    <<<DRAFT#20191211-R2>>>

 

  • Upload TEXT version of the OBJECT-GROUPs
  • Upload TEXT version of the ACCESS-LIST
  • Upload TEXT version of the APPLY access-list
  • Choose AUTO simulation based on various (aos-cx version(s) and OEM switch models) testing OR manually chose packet types, packet ports, packet source (IP or URL), packet destination (IP or URL)
  • Simulator in AUTO mode will thoroughly test and trace aruba designed packets and/or customer custom packets.
  • Then simulator will display TRACE LOG and counts.
  • Then simulator will also offer "What-If" simulations canned and custom.
  • The simulator will allow dynamic and real-time modifications to OBJECTs, ACCESS-LISTs entries, and APPLYs.
  • Various reporting services will also be provided by simulator.
  • FINAL:  All reporting, logs, traces, revisions, customization, and config modifications may be exported/downloaded in COMMAND mode as needed by the customer.

../smb/air
Highlighted

Re: AOS-CX (8320) ACL testing simulation ???

@vincent wrote:

"Few things:

- Spirent or IXIA testing could provide proof that ACL filters are line-rate and enforcing security as defined in the ACL

- use count on permit sequence to have some visibility on permitted flows..."

 

 

FROM: aoscx-noob >>>

The following is my wish list that I have submitted to our HPE rep:

 

The current aos-cx ACL  LOG and/or COUNT is insufficient and inaccurate.  Adding a single ACE may break the ACL without potentially hours of customer testing to prove ACL changes.

 

We need a better way to trace packets as they traverse the ACLs.

 

Suggestion (online customer tool and security procedures):    <<<DRAFT#20191211-R2>>>

 

  1. Upload TEXT version of the OBJECT-GROUPs
  2. Upload TEXT version of the ACCESS-LIST
  3. Upload TEXT version of the APPLY access-list
  4. Choose AUTO simulation based on various (aos-cx version(s) and OEM switch models) testing OR manually chose packet types, packet ports, packet source (IP or URL), packet destination (IP or URL)
  5. Simulator in AUTO mode will thoroughly test and trace aruba designed packets and/or customer custom packets.
  6. Then simulator will display TRACE LOG and counts.
  7. Then simulator will also offer "What-If" simulations canned and custom.
  8. The simulator will allow dynamic and real-time modifications to OBJECTs, ACCESS-LISTs entries, and APPLYs.
  9. Various reporting services will also be provided by simulator.
  10. FINAL:  All reporting, logs, traces, revisions, customization, and config modifications may be exported/downloaded in COMMAND mode as needed by the customer.

../smb/air
Highlighted

Re: AOS-CX (8320) ACL testing simulation ???

@vincent wrote:

"Few things:

- Spirent or IXIA testing could provide proof that ACL filters are line-rate and enforcing security as defined in the ACL

- use count on permit sequence to have some visibility on permitted flows..."

 

 

FROM: aoscx-noob >>>

The following is my wish list that I have submitted to our HPE rep:

 

The current aos-cx ACL LOG and/or COUNT is insufficient and inaccurate. Adding a single ACE may break the ACL without potentially hours of customer testing to prove ACL changes.

 

We need a better way to trace packets as they traverse the ACLs.

 

Suggestion (online customer tool and security procedures): (DRAFT#20191211-R2


1. Upload TEXT version of the OBJECT-GROUPs
2. Upload TEXT version of the ACCESS-LIST
3. Upload TEXT version of the APPLY access-list
4. Choose AUTO simulation based on various (aos-cx version(s) and OEM switch models) testing OR manually chose packet types, packet ports, packet source (IP or URL), packet destination (IP or URL)
5. Simulator in AUTO mode will thoroughly test and trace aruba designed packets and/or customer custom packets.
6. Then simulator will display TRACE LOG and counts.
7. Next the simulator will also offer "What-If" simulations canned and custom.
8. The simulator will allow dynamic and real-time modifications to OBJECTs, ACCESS-LISTs entries, and APPLYs.
9. Various reporting services will also be provided by simulator.
10. FINAL: All reporting, logs, traces, revisions, customization, and config modifications may be exported/downloaded in COMMAND mode as needed by the customer.


../smb/air
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: