Wireless Access

Reply
Highlighted
New Contributor

VLAN based session acl issue ArubaOS 8.5.0.0

Hi,

 

I have an issue with session ACL assigned to a VLAN on a trunk port (port-channel). Controller model 7210, OS 8.5.0.0 The ACL is applied only to the traffic originated FROM the VLAN, but any traffic TO the VLAN is allowed. Maybe it is the intended behavior, can anyone confirm this?

Command on trunk port with all VLANs trusted:

'ip access-group vlan 30 session "ACL-name"'

Any traffic towards a host in the VLAN is permitted, ACL works only for traffic coming from the VLAN.

 

Regards,

Balazs

 

Guru Elite

Re: VLAN based session acl issue ArubaOS 8.5.0.0

Before answering your question, are you trying to apply this ACL to wired or wireless traffic? I am asking because it is better to apply an ACL to a role, rather than a VLAN, because it is more granular..

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: VLAN based session acl issue ArubaOS 8.5.0.0

Hi Cjoseph,

 

It is for wired traffic. 

Guru Elite

Re: VLAN based session acl issue ArubaOS 8.5.0.0

Okay.

 

If you put an ACL on a port/VLAN, it typically applies to traffic that is coming into the controller.  You can type "show acl hits" on the MD to see how many times your ACL is actually hit.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: VLAN based session acl issue ArubaOS 8.5.0.0

Thanks for the answer. I guess it is not desired to use a controller as a "wired" firewall. Is there any suggestion for FW functionality for wired traffic? (e.g. controlling in and out traffic also) Or Aruba design recommends handling wired VLAN separation on other device instead of the controller?

Guru Elite

Re: VLAN based session acl issue ArubaOS 8.5.0.0

That is not the primary use case but it is possible.  The simplest example is If you can separate the physical in/out you can apply the ACL to the "in" port and probably accomplish what you need.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
New Contributor

Re: VLAN based session acl issue ArubaOS 8.5.0.0

Yes, that is the workaround for now, filtering inbound on the "uplink" VLAN and also inbound on the "protected" VLANs. Just would have been better to control the rules per VLAN...

 

Thanks for the quick help, anyway :)

 

Regards,

Balazs

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: