Configuring ACL Rules for Application and Application Categories

This section describes the procedure for configuring access rules based on application and application categories. The Application and Application rules utilize the onboard DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network.  engine.

For information on configuring access rules to control access to network services, see In the Old WebUI.

For information on configuring access rules based on web categories and web reputation, see Configuring Web Policy Enforcement Service.

In the Old WebUI

To configure ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role:

1. Navigate to the Security > Roles tab. The Roles tab contents are displayed.

You can also configure access rules for a wired or wireless network profile by using:

a. The WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard (Network > WLAN SSID > Edit > Edit WLAN > Access ) or

b. The Wired profile (More > Wired > Edit > Edit Wired Network > Access) window.

2. In the Roles section, select the role for which you want to configure the access rules.

3. In the Access rules section, click New to add a new rule. The New Rule window is displayed.

4. Ensure that the rule type is set to Access control.

5. To configure access to applications or application category, select a service category from the following list:

Application

Application category

6. Based on the selected service category, configure the following parameters:

Table 1: Access Rule Configuration Parameters

Service Category

Description

Application

Select the applications to which you want to allow or deny access.

Application category

Select any of the following application categories to which you want to allow or deny access:

antivirus

authentication

cloud-file-storage

collaboration

encrypted

enterprise-apps

gaming

im-file-transfer

instant-messaging

mail-protocols

mobile-app-store

network-service

peer-to-peer

social-networking

standard

streaming

thin-client

tunneling

unified-communications

web

Webmail

Application Throttling

Application throttling allows you to set a bandwidth limit for an application, application category, web category, or for sites based on their web reputation. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high-risk sites. If your Instant AP model does not support configuring access rules based on application or application category, you can create a rule based on web category or website reputation and assign bandwidth rates. This check-box is visible only when the service selected is Application.

To specify a bandwidth limit:

1. Select the Application Throttling check box.

2. Specify the downstream and upstream rates in KbpsKilobits per second..

Action

Select any of following actions:

Select Allow to allow access to users based on the access rule.

Select Deny to deny access to users based on the access rule.

Select Destination-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow changes to destination IP address.

Select Source-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow changes to the source IP address.

The destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. and source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. actions apply only to the network services rules.

Destination

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

to all destinations—Access is allowed or denied to all destinations.

to a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.

except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

to a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. of the destination network.

to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.

to master IP—Access is allowed or denied to the master IP address.

to AP IP—Access is allowed or denied to a specific AP's IP address.

to AP network—Access is allowed or denied to a specific AP network.

Log

Select this check box to create a log entry when this rule is triggered. Instant supports firewall-based logging function. FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. logs on the Instant APs are generated as security logs.

Blacklist

Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified in Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients.

Disable scanning

Select Disable scanning check box to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.

The selection of the Disable scanning applies only if ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning is enabled. For more information, see Configuring Radio Settings.

DSCP tag

Select the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag check box to specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

802.1p priority

Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.

802.1p priority

Select the Time Range check box and select a time profile to apply for the rule.

3. Click OK in the New Rule window.

4. Click OK in the Roles tab.

In the New WebUI

To configure ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role:

1. Navigate to Configuration > Security > Roles section.

You can also configure access rules for a wired or wireless network profile by following the steps mentioned below:

a. Navigate to Configuration > Networks.

b. Select the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. or the Wired profile and edit the profile as required.

c. Go to the Access tab.

2. In the Roles section, select the role for which you want to configure the access rules.

3. In the Access Rules for <network> section, click + to add a new rule. The New rule window is displayed.

4. Ensure that the rule type is set to Access control.

5. To configure access to applications or application category, select a service from the following list:

Application

Application category

6. Based on the selected service category, configure the following parameters:

Table 2: Access Rule Configuration Parameters

Service Category

Description

Application

Select the applications to which you want to allow or deny access.

Application category

Select any of the following application categories to which you want to allow or deny access:

antivirus

authentication

cloud-file-storage

collaboration

encrypted

enterprise-apps

gaming

im-file-transfer

instant-messaging

mail-protocols

mobile-app-store

network-service

peer-to-peer

social-networking

standard

streaming

thin-client

tunneling

unified-communications

web

Webmail

Application Throttling

Application throttling allows you to set a bandwidth limit for an application, application category, web category, or for sites based on their web reputation. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high-risk sites. If your Instant AP model does not support configuring access rules based on application or application category, you can create a rule based on web category or website reputation and assign bandwidth rates. This check-box is visible only when the Application service is selected..

To specify a bandwidth limit:

1. Select the Application Throttling check box.

2. Specify the downstream and upstream rates in KbpsKilobits per second..

Action

Select any of following actions:

Select Allow to allow access to users based on the access rule.

Select Deny to deny access to users based on the access rule.

Select Destination-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow changes to destination IP address.

Select Source-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow changes to the source IP address.

The destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. and source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. actions apply only to the network services rules.

Destination

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

to all destinations—Access is allowed or denied to all destinations.

to a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.

except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

to a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. of the destination network.

to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.

to master IP—Access is allowed or denied to the master IP address.

to AP IP—Access is allowed or denied to a specific AP's IP address.

to AP network—Access is allowed or denied to a specific AP network.

Log

Select this check box to create a log entry when this rule is triggered. Instant supports firewall-based logging function. FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. logs on the Instant APs are generated as security logs.

Blacklist

Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified in Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients.

Disable scanning

Select Disable scanning check box to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.

The selection of the Disable scanning applies only if ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning is enabled. For more information, see Configuring Radio Settings.

DSCP Tag

Select the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. Tag check box to specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

802.1p priority

Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.

Time Range

Select the Time Range check box and select a time profile to apply for the rule.

3. Click OK.

4. Click Save.

In the CLI

To configure access rules:

(Instant AP)(config)# wlan access-rule <access-rule-name>

(Instant AP)(Access Rule <Name>)#rule <dest> <mask> <match/invert> {app <app> {permit|deny}|appcategory <appgrp>}[<option1....option9>]

Examples

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example shows how to configure employee access rules:

(Instant AP)(config)# wlan access-rule employee

(Instant AP)(Access Rule "employee")# rule any any match app youtube permit throttle-downstream 256 throttle-up 256

(Instant AP)(Access Rule "employee")# rule any any match appcategory collaboration permit

(Instant AP)(Access Rule "employee")# rule any any match any any any permit time-range lunchtime

 

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example shows how to view the list of time profiles created on the Instant AP:

(Instant AP)# show time-profile

 

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. example shows how to view the list of time range profiles configured on the Instant AP:

(Instant AP)# show time-range