Configuring Access Policies on AOS-Switches

To restrict certain types of traffic on physical ports of AOS-Switches, you can configure ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the Aruba Central (on-premises) UI.

To create an access policy, complete the following steps:

1. In the Network Operations app, select one of the following options:
   • To select a switch group in the filter:
     1. Set the filter to a group containing at least one switch.

        The dashboard context for the group is displayed.

     2. Under Manage, click Devices > Switches.
     3. Click the AOS-S or Config icon to view the switch configuration dashboard.
   • To select a switch in the filter:
     1. Set the filter to Global or a group containing at least one switch.
     2. Under Manage, click Devices > Switches.

        A list of switches is displayed in the List view.

     3. Click a switch under Device Name.

        The dashboard context for the switch is displayed.

     4. Under Manage, click Device.

        The tabs to configure the switch is displayed.

2. Click Security > Access Policy. The Access Policy page is displayed.
3. Click + to add a new access policy. The New Access Policy page is displayed.
4. Enter a name for the policy.
5. Click Add.
6. To add a rule to the access policy, click + under Rules for test, and configure the following parameters:

Table 1: Configuring Rules for Access Policies

Name	Description	Value
Source	Select a source of the traffic for which you want to an access rule.	Any, Network, or Host For Network, specify IP address and mask For Host, specify IP address
Destination	Select a destination.	Any, Network, or Host For Network, specify IP address and mask For Host, specify IP address
Protocol	Select the type of protocol from the drop-down. If you select SCTP, TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , or UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., the Source Port and Destination Port fields are displayed.	SCTP, TCP, UDP, AH, ESP, GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network., ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets., IGMPInternet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships., IP, IPv6_IN_IP, IP_IN_IP, OSPFOpen Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS)., PIMProtocol-Independent Multicast. PIM refers to a family of multicast routing protocols for IP networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet., and VRRPVirtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN..
Source Port	Port number of the source for SCTP, TCP, or UDP protocols.	Single or range of port numbers. For single port number, use the same port number in the Min Port and Max Port number fields.
Destination Port	Port number of the destination for SCTP, TCP, or UDP protocols.	Single or range of port numbers. For single port number, use the same port number in the Min Port and Max Port number fields.
Action	The action that the switch must perform on the traffic received at a port.	Permit or Deny

7. Click OK.
8. Click Save Settings.

The access policies must be applied to a switch port and the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assigned to a port. For more information on access policy assignment to ports and VLANs, see the following topics:

• Configuring Switch Ports on AOS-Switches
• Configuring VLANs on AOS-Switches