Configuring ACLs for Deep Packet Inspection
To configure ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role for Deep Packet Inspection (DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. ), complete the following procedure:
- In the app, set the filter to a group that contains at least one AP.
The dashboard context for the group is displayed.
- Under , click > .
A list of access points is displayed in the view.
- Click the icon.
The tabs to configure the access points are displayed.
-
Click .
- Click the Security tab.
The page is displayed.
-
Under , select the role for which you want to configure access rules.
- Under , click to add a new rule.
The window is displayed.
- Under , select
- To configure access to applications or application categories, select a service category from the following list:
- Network
- App Category
- Application
- Web Category
- Web Reputation
-
Based on the selected service category, configure the following parameters:
Table 1: Access Rule Configuration Parameters
Service category
Description
Select the application categories to which you want to allow or deny access.
Select the applications to which you want to allow or deny access.
Application throttling allows you to set a bandwidth limit for an application and application categories. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high risk sites.
To specify a bandwidth limit:
- Select the check box.
- Specify the and rates in KbpsKilobits per second. per user.
Select one of the following actions:
- —Translation of the destination IP address of a packet entering the network.
- —Used by internal users to access the internet.
- —Select to allow access users based on the access rule.
- —Select to deny access to users based on the access rule.
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
- — Access is allowed or denied to all destinations.
- —Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
- —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
- —Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
- —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
- —Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the text box.
- —Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the text box.
- —Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the text box.
- —Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the text box.
Select this check box if you want a log entry to be created when this rule is triggered. Aruba Central supports firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. based logging. Firewall logs on the IAPs are generated as security logs.
Select the check-box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as on the tab of the window.
Select the check box to classify and tag media on https traffic as voice and video packets.
Select check box to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.
The selection of the applies only if ARM scanning is enabled.
Select this check box to add a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. on the network. To assign a higher priority, specify a higher value.
Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
Select this check box to enable user to access network for a specific time period. You can select the time range profile from the drop-down list that appears when the check box is selected.
-
Click .
