Wireless Access

Hi,

 

I have an issue with session ACL assigned to a VLAN on a trunk port (port-channel). Controller model 7210, OS 8.5.0.0 The ACL is applied only to the traffic originated FROM the VLAN, but any traffic TO the VLAN is allowed. Maybe it is the intended behavior, can anyone confirm this?

Command on trunk port with all VLANs trusted:

'ip access-group vlan 30 session "ACL-name"'

Any traffic towards a host in the VLAN is permitted, ACL works only for traffic coming from the VLAN.

 

Regards,

Balazs

 

Before answering your question, are you trying to apply this ACL to wired or wireless traffic? I am asking because it is better to apply an ACL to a role, rather than a VLAN, because it is more granular..

Hi Cjoseph,

 

It is for wired traffic. 

Okay.

 

If you put an ACL on a port/VLAN, it typically applies to traffic that is coming into the controller.  You can type "show acl hits" on the MD to see how many times your ACL is actually hit.

Thanks for the answer. I guess it is not desired to use a controller as a "wired" firewall. Is there any suggestion for FW functionality for wired traffic? (e.g. controlling in and out traffic also) Or Aruba design recommends handling wired VLAN separation on other device instead of the controller?

That is not the primary use case but it is possible.  The simplest example is If you can separate the physical in/out you can apply the ACL to the "in" port and probably accomplish what you need.

Yes, that is the workaround for now, filtering inbound on the "uplink" VLAN and also inbound on the "protected" VLANs. Just would have been better to control the rules per VLAN...

 

Thanks for the quick help, anyway :)

 

Regards,

Balazs