Wired Intelligent Edge

last person joined: 13 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

This thread has been viewed 1 times

  • 1.  With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    Posted Jun 20, 2014 05:59 PM

    I have 2 vlans - employee & guest.  I want to block guest from employee vlan but allow internet access.

     

    With Cisco I would have done

     

    ip access-list extended BlockGuest
     deny   ip 10.30.54.0 0.0.0.255 10.30.50.0 0.0.0.255
     permit ip any any

     

    interface Vlan54
     description Guest
     ip address 10.30.54.1 255.255.255.0
     ip access-group BlockGuest in

     

    Can someone point me in right direction to the Aruba equivalant?



  • 2.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    EMPLOYEE
    Posted Jun 20, 2014 06:01 PM
    In the Aruba world you would create firewall policies and tie them to a user role.

    Take a look at the access control section under the Configuration tan.


  • 3.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    Posted Jun 20, 2014 06:03 PM
    You create an ACL similar to the one create in Cisco and then apply it under the guest user-role


  • 4.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    Posted Jun 20, 2014 06:09 PM

    Guest user-role - Is that assuming that the pc that is plugged into a port, then has to authenticate before allowing access?

     

    So you have to use the Captive Portal?

     

    Do you have to use authentication or can you take that off?



  • 5.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    EMPLOYEE
    Posted Jun 20, 2014 06:10 PM
    Sorry, are we talking an Aruba MAS or wireless controller?


  • 6.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    Posted Jun 20, 2014 06:18 PM

    MAS.

     

    Although most likely it will only be APs accessing Guest, but they don't want Guest to authenticate. 

     

    Would the Aruba APs be able to restrict the access?

     

    Reading RN for 7.3 and it talks about

     

    Router ACLs (RACLs)
    Router ACLs perform access control on all traffic entering the specified Routed VLAN Interface. Roter ACLs provide
    access control based on the Layer 3 addresses or Layer 4 port information and ranges. RACLs can only be applied
    to ingress traffic.

     

    Would that not be the same as Cisco VACLs - would have been nice to see example in user guide

     



  • 7.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    EMPLOYEE
    Posted Jun 20, 2014 06:20 PM
    Are these wired ports only going to serve guest users or will you want an authenticated user to be able to use them too?


  • 8.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    Posted Jun 20, 2014 06:25 PM

    Some ports would be Employees.

     

    Some would be trunk ports to AP - both vlans - none of the ports should make you authenticate.



  • 9.  RE: With Cisco, I can do vlan access lists. How can I do the equivalent on Aruba?

    EMPLOYEE
    Posted Jun 20, 2014 06:28 PM
    In that case, yes, you would configure an ACL on the VLAN interface. The commands are almost identical to Cisco.