@vincent wrote:
"Few things:
- Spirent or IXIA testing could provide proof that ACL filters are line-rate and enforcing security as defined in the ACL
- use count on permit sequence to have some visibility on permitted flows..."
FROM: aoscx-noob >>>
The following is my wish list that I have submitted to our HPE rep:
The current aos-cx ACL LOG and/or COUNT is insufficient and inaccurate. Adding a single ACE may break the ACL without potentially hours of customer testing to prove ACL changes.
We need a better way to trace packets as they traverse the ACLs.
Suggestion (online customer tool and security procedures): (DRAFT#20191211-R2
1. Upload TEXT version of the OBJECT-GROUPs
2. Upload TEXT version of the ACCESS-LIST
3. Upload TEXT version of the APPLY access-list
4. Choose AUTO simulation based on various (aos-cx version(s) and OEM switch models) testing OR manually chose packet types, packet ports, packet source (IP or URL), packet destination (IP or URL)
5. Simulator in AUTO mode will thoroughly test and trace aruba designed packets and/or customer custom packets.
6. Then simulator will display TRACE LOG and counts.
7. Next the simulator will also offer "What-If" simulations canned and custom.
8. The simulator will allow dynamic and real-time modifications to OBJECTs, ACCESS-LISTs entries, and APPLYs.
9. Various reporting services will also be provided by simulator.
10. FINAL: All reporting, logs, traces, revisions, customization, and config modifications may be exported/downloaded in COMMAND mode as needed by the customer.