Configuring Access Control on AOS-CX
Access control allows you to permit or deny traffic based on network addresses, protocols, service ports, and other packet attributes. An Access policy defines a set of rules based on network traffic addressing and uses these rules to permit or deny the passage of traffic through the switch. The permit action allows the traffic to continue through the switch and the deny action causes the traffic to be discarded (dropped).
From the Access Control page, you can add access policies and set different rules for the access policies using UI groups.
Adding an Access Policy
You can add access policies by defining traffic rules. A policy can be applied to an individual front plane port, a Link Aggregation Group (LAGLink Aggregation Group . A LAG combines a number of physical ports together to make a single high-bandwidth data path. LAGs can connect two switches to provide a higher-bandwidth connection to a public network. ) interface, or a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..
The following are the maximum number of policies that are supported on AOS-CX switches.
- AOS-CX 4100i, 6100 switch series—512
- AOS-CX 6200, 6300 switch series—4000
- AOS-CX 8320 switch series—16000
- AOS-CX 8325, 8360 switch series—4000
AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration.
To add an access policy, complete the following steps:
- In the app, select one of the following options:
- To select a switch group in the filter:
- Set the filter to a group.
The dashboard context for the group is displayed.
- Under , click > .
- Click the or icon to view the switch configuration dashboard.
- Set the filter to a group.
- To select a switch in the filter:
- Set the filter to or a group containing at least one switch.
- Under , click > .
A list of switches is displayed in the view.
- Click an AOS-CX switch under .
The dashboard context for the switch is displayed.
- Under , click .
The AOS-CX UI configuration page is displayed.
- To select a switch group in the filter:
- Click > .
The Access Control page is displayed with the name of the policy.
- In the table, click to add a policy.
The Add policy page is displayed.
When the maximum number of policies are added for a switch, the + add icon is disabled.
- Configure the following parameters.
Table 1: Access Policy Parameters
Name
Description
Value
The name of the access policy.
A maximum of 64 characters including letters, numbers, and special characters, except question mark (?) and double quotes (").
The traffic direction for Ports and LAGs. The available directions are:
- —Controls the incoming traffic on the selected ports or LAGs.
- —Controls the outgoing traffic on the selected ports or LAGs.
or
The ports and LAGs on which the policy is applied.
Select a value from the drop-down.
The traffic direction for VLANs. The available directions are:
- —Controls the incoming traffic on the layer 2 interface VLANs.
- —Controls the outgoing traffic on the layer 2 interface VLANs.
- —Controls the incoming traffic on the layer 3 interface VLANs.
- —Controls the outgoing traffic on the layer 3 interface VLANs.
, , , or .
The VLANs on which the policy is applied. The list of layer 2 and layer 3 interface VLANs are displayed based on the selection.
Select one or more VLANs from the drop-down list.
- Click . The Access Control table is displayed with the number of ports & LAGs, and VLANs configured on inbound and outbound traffic.
Editing an Access Policy
To edit a policy, point to the row for the policy, and click the edit icon.
Deleting an Access Policy
To delete a policy, point to the row for the policy, and click the delete icon.
Adding a Rule for Policy
You can add access rules for a policy to either allow or deny the traffic passing through the switch.
The following are the maximum number of rules that are supported on AOS-CX switches.
- AOS-CX 4100i, 6100 switch series—4096
- AOS-CX 6200, 6300 switch series—8000
- AOS-CX 8320 switch series—32000
- AOS-CX 8325, 8360 switch series—4000
AOS-CX 6400 and 8400 switch series are not supported in Aruba Central (on-premises) UI configuration.
To add a access rule, complete the following steps:
- In the table, select the policy for which you want to add a rule by clicking on the policy.
The Policy Rules page is displayed.
- In the table, click to add a rule.
The Add rule for policy "<policy name">page is displayed.
- After adding the first rule, the + add icon in the table is disabled. To add more rules to the same policy, click the + add icon present in the row corresponding to the rule after which you want to add the next rule.
- When the maximum number of rules are added for a switch series, the + add icon is disabled.
- Configure the following parameters.
Table 2: Access Rules Parameters
Name
Description
Value
The action for the traffic passing through the switch.
or
Description for the rule.
A maximum of 256 characters including letters, numbers, and special characters, except question mark (?) and double quotes (").
The type of source for which you want to apply a policy.
, , or .
If you select Network, enter the IP address and Mask .
If you select Host, enter the IP address.
The type of destination for which you want to apply a policy.
, , or .
If you select Network, enter the IP address and Mask .
If you select Host, enter the IP address.
The type of data transfer protocol. If you select SCTP, TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , or UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. the Source port and Destination port fields are displayed.
Protocol types: , , , , , , , , , , , and .
The port numbers of source. You can specify a single port in the field or range of ports in the and fields.
For example, if you want to specify the source port range as 1 to 7, then specify 1 in the field and 7 in the field.
An integer
The end port number in the range of source ports. This field is applicable only if you want to configure a range of source ports.
An integer
The port numbers of destination. You can specify a single port in the or range of ports in the and fields.
For example, if you want to specify port range as 1 to 7, then specify 1 in the field and 7 in the field.
An integer
The end port number in the range of destination ports. This field is applicable only if you want to configure a range of destination ports.
An integer
- To create another rule , select check box and add a new rule.
- Click . The new rules are displayed in the Policy Rules table.
By default, the rules are sequenced in the order in which they are added. You can rearrange the sequence by dragging the rule to the position you want using the
drag-and -drop icon. - Click .
Editing a Rule
To edit a rule, point to the row for the rule, and click the edit icon.
Deleting a Rule
To delete a rule, point to the row for the rule, and click the delete icon.
