Configuring Network Service ACLs

To configure access rules for network services, complete the following steps:

1. In the Network Operations app, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Security tab.

   The Security page is displayed.

6. Click the Roles accordion.
7. Under Access Rules For Selected Roles, click + to add a new rule.

   The Access Rule window is displayed.

8. Under Rule Type, select Access Control.
9. To configure access to applications or application categories, select a service category from the following list:
   • Network
   • App Category
   • Application
   • Web Category
   • Web Reputation

10. Based on the selected service category, configure the following parameters:

    Table 1: Access Rule Configuration Parameters

    Data Pane Item	Description
    Rule Type	Select a rule type from the list, for example Access Control.
    Service	Select a service from the list of available services. You can allow or deny access to any or all of the following services based on your requirement: Any—Access is allowed or denied to all services. CUSTOM—Available options are TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., and Other. If you select the TCP or UDP options, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. If TCP and UDP uses the same port, ensure that you configure separate access rules to permit or deny access.
    Action	Select any of following attributes: Select Allow to allow access users based on the access rule. Select Deny to deny access to users based on the access rule. Select Destination-NAT to allow the changes to destination IP address. Select Source-NAT to allow changes to the source IP address.
    Destination	Select a destination option. You can allow or deny access to any the following destinations based on your requirements. To all destinations—Access is allowed or denied to all destinations. To a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server. Except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server. To a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network. Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network. To a Domain Name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box. To AP IP—Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box. To AP Network—Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box. To conductor IP—Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.
    Log	Select Log to create a log entry when this rule is triggered. The Aruba Central firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. supports firewall based logging. Firewall logs on the IAPs are generated as security logs.
    Denylist	Select Denylist to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth failure denylist time on the Denylisting tab of the Security window.
    Classify Media	Select Classify Media to prioritize video and voice traffic. When enabled, a packet inspection is performed on all non-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. traffic and the traffic is marked as follows: Video: Priority 5 (Critical) Voice: Priority 6 (Internetwork Control)
    Disable Scanning	Select Disable Scanning to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered. The selection of the Disable Scanning applies only if ARM scanning is enabled.
    DSCP TAG	Select DSCP TAGto specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0 to 63.
    802.1p priority	Select 802.1p priority to specify an 802.1 priority. Specify a value between 0 and 7.
    Time Range	Select this check-box to allow a specific user to access the network for a specific time range. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected.

11. Click Save Settings.