Filter
Top Products
297 | Rolesand Policies DellPowerConnectW-SeriesArubaOS6.2 | User Guide
NOTE: You can apply IPv4 and IPv6 firewall policies to the same user role. See IPv6 Support on page 128 for
information about configuring IPv6 firewall policies.
Working With Access Control Lists (ACLs)
Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. ArubaOS
provides the following types of ACLs:
l Standard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can be either
named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs use a bitwise mask
to specify the portion of the source IP address to be matched.
l Extended ACLs permit or deny traffic based on source or destination IP address, source or destination port
number, or IP protocol. Extended ACLs can be named or numbered, with valid numbers in the range 100-199
and 2000-2699.
l MAC ACLs are used to filter traffic on a specific source MAC address or range of MAC addresses. Optionally,
you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. MAC
ACLs can be either named or numbered, with valid numbers in the range of 700-799 and 1200-1299.
l Ethertype ACLs are used to filter based on the Ethertype field in the frame header. Optionally, you can mirror
packets to a datapath or remote destination for troubleshooting and debugging purposes. Ethertype ACLs can be
either named or numbered, with valid numbers in the range of 200-299.These ACLs can be used to permit IP
while blocking other non-IP protocols, such as IPX or AppleTalk.
l Service ACLs provide a generic way to restrict how protocols and services from specific hosts and subnets to the
controller are used. Rules with this ACL are applied to all traffic on the controller regardless of the ingress port or
VLAN.
ArubaOS provides both standard and extended ACLs for compatibility with router software from popular vendors,
however firewall policies provide equivalent and greater function than standard and extended ACLs and should be
used instead.
You can apply MAC and Ethertype ACLs to a user role, however these ACLs only apply to non-IP traffic
from
the
user.
Support for Desktop Virtualization Protocols
ArubaOS supports desktop virtualization protocols by providing preconfigured ACLs for Citrix and VMware clients.
You can apply these ACLs to the user-role when using the Virtual Desktop Infrastructure (VDI) clients. This ensures
that any enterprise application that uses the VDI client performs optimally with appropriate QoS.
NOTE: Disable the voice aware ARM when applying the ACLs for the VDI clients as the virtual desktop sessions may prevent the ARM
scanning.
Creating a Firewall Policy
This section describes how to configure the rules that constitute a firewall policy. A firewall policy can then be
applied to a user role (until the policy is applied to a user role, it does not have any effect).
Table 80 describes required and optional parameters for a rule.