Configuring Network Service ACLs
To configure access rules for network services, complete the following steps:
1. In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
2. Under , click > .
A list of access points is displayed in the view.
3. Click the icon.
The tabs to configure the access points are displayed.
4. Click , and click the tab.
The Security details page is displayed.
5. Click the accordion.
6. Under , click to add a new rule.
The window is displayed.
7. Under , select .
8. To configure access to applications or application categories, select a service category from the following list:
9. Based on the selected service category, configure the following parameters:
|
Data Pane Item |
Description |
|
|
Select a rule type from the list, for example . |
|
|
Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement: —Access is allowed or denied to all services. —Available options are TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access. |
|
|
Select any of following attributes: Select to allow access users based on the access rule. Select to deny access to users based on the access rule. Select to allow the changes to destination IP address. Select to allow changes to the source IP address. |
|
|
Select a destination option. You can allow or deny access to any the following destinations based on your requirements. —Access is allowed or denied to all destinations. —Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. —Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. —Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the text box. —Traffic to the specified Instant AP is allowed. After selecting this option, specify the domain name in the text box. —Traffic to the specified Instant AP network is allowed. After selecting this option, specify the domain name in the text box. —Traffic to the specified master Instant AP or virtual controller is allowed. After selecting this option, specify the domain name in the text box. |
|
|
Select to create a log entry when this rule is triggered. The Aruba Central firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. supports firewall based logging. Firewall logs on the Instant APs are generated as security logs. |
|
|
Select to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as on the tab of the window. |
|
|
Select to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. traffic and the traffic is marked as follows: Video: Priority 5 (Critical) Voice: Priority 6 (Internetwork Control) |
|
|
Select to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered. The selection of the applies only if ARM scanning is enabled. |
|
|
Select to specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63. |
|
|
Select to specify an 802.1 priority. Specify a value between 0 and 7. |
|
|
Select this check box to allow a specific user to access the network for a specific time range. You can select the time range profile from the drop-down list that appears when the check box is selected. |
10. Click .
