Wired Intelligent Edge

last person joined: 5 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Switches supporting dACLs?

This thread has been viewed 9 times

  • 1.  Switches supporting dACLs?

    Posted May 01, 2019 04:31 PM

    Hello,

    Looking at implementing clearpass to push dACLs to switch ports during dot1x wired authentication.  Is there a list of which aruba switches support dACLs?  Or is there a IEEE or RFC that I should be looking for on the switch white papers?  Similarly, TCAM limit for how long/how many acls can be dynamically applied?  Our ACLs tend to be around 150-200 lines long, so pushing them down individually per port might hit a resource limit.  It might push us to applying an ACL pre-populated on the switch called by name in the radius request, but again, need to know what swtiches support this.  Any easy way to look this up to ensure we are buying the right model of Aruba switch or to see what switch lines can meet our needs?



  • 2.  RE: Switches supporting dACLs?

    Posted May 01, 2019 04:48 PM
    Please take a look into this document.

    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Method/attachment/Default.aspx?EntryId=33276

    Dacl are supported but today the preferred way is to use user-roles. However, 150-200 acl’s per port is usage and I suppose that the switch is not able to handle this. Your are save when you use up to 20 acl’s per port when you use the 2930 switches. Also keep in mind that the acl is applied per authenticated device and not per port.

    If you want more control I suggest you to look into dynamic segmentation.