Configuring ACL Rules for Network Services

This section describes the procedure for configuring ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to control access to network services.

For information on configuring access rules based on application and application categories, see Configuring ACL Rules for Application and Application Categories.

For information on configuring access rules based on web categories and web reputation, see Configuring Web Policy Enforcement Service.

In the Old WebUI

To configure ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role:

1. Navigate to Security > Roles. The Roles tab contents are displayed.

Alternatively, you can configure access rules for a wired or wireless client through the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Profile window.

a. To configure access rules through the Wired Profile window:

Navigate to More > Wired.

Click Edit and then Edit Wired Network.

Click Access.

b. To configure access rules through WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard:

Navigate to Network > WLAN SSID.

Click Edit and then Edit WLAN.

Click Access.

2. Select the role for which you want to configure access rules.

3. In the Access rules section, click New to add a new rule. The New Rule window is displayed.

4. Ensure that the rule type is set to Access Control.

 

The maximum roles configurable on an Instant AP is 32.

The maximum ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. entries supported is 2048.

The maximum ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. entries for each role is 256.

5. To configure a rule to control access to network services, select Network under the Service category and specify the following parameters:

Table 1: Access Rule Configuration Parameters

Service Category

Description

Network

Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement:

any—Access is allowed or denied to all services.

custom—Available protocols are TCP, UDP, ethernet, and Other. If you select the TCP or UDP protocol, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. If you select the ethernet option, specify the ethernet type.

NOTE: If TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. and UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. use the same port, ensure that you configure separate access rules to permit or deny access.

Action

Select any of following actions:

Select Allow to allow access to users based on the access rule.

Select Deny to deny access to users based on the access rule.

Select Destination-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow making changes to the destination IP address.

Select Source-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow making changes to the source IP address.

Default: All client traffic is directed to the default VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Tunnel: The traffic from the Network Assigned clients is directed to the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel.

VLAN: Specify the non-default VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to which the guest traffic needs to be redirected to.

Destination

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

to all destinations— Access is allowed or denied to all destinations.

to a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.

except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

to a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. of the destination network.

to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.

Log

Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging. FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. logs on the Instant APs are generated as security logs.

Blacklist

Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients.

Disable scanning

Select Disable scanning check box to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.

The selection of Disable scanning applies only if ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning is enabled. For more information, see Configuring Radio Settings.

DSCP tag

Select the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag check box to specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

802.1p priority

Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.

NOTE: This parameter is applicable only for VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tagged frames.

6. Click OK in the New Rule window and then click OK in the Roles tab.

In the New WebUI

To configure ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role:

1. Navigate to Configuration > Security > Roles. The Roles tab contents are displayed.

Alternatively, you can configure access rules for a wired or wireless client through the WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. wizard or the Wired Profile window.

To configure access rules for a wired or wireless client, go to Configuration > Networks tab. Click + to create a new network or select the network profile to modify an existing profile.

Go to the Access tab.

2. Select the role for which you want to configure access rules.

3. In the Access rules section, click + to add a new rule. The New rule window is displayed.

4. Ensure that the rule type is set to Access Control.

 

The maximum roles configurable on an Instant AP is 32.

The maximum ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. entries supported is 2048.

The maximum ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. entries for each role is 256.

5. To configure a rule to control access to network services, select Network under the Service category and specify the following parameters:

Table 2: Access Rule Configuration Parameters

Service Category

Description

Network

Select a service from the list of available services. You can allow or deny access to any or all of the services based on your requirement:

any—Access is allowed or denied to all services.

custom—Available protocols are TCP, UDP, ethernet, and Other. If you select the TCP or UDP protocol, enter appropriate port numbers. If you select the Other option, enter the appropriate ID. If you select the ethernet option, specify the ethernet type.

NOTE: If TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. and UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. use the same port, ensure that you configure separate access rules to permit or deny access.

Action

Select any of following actions:

Select Allow to allow access to users based on the access rule.

Select Deny to deny access to users based on the access rule.

Select Destination-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow making changes to the destination IP address.

Select Source-NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. to allow making changes to the source IP address.

Default: All client traffic is directed to the default VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN..

Tunnel: The traffic from the Network Assigned clients is directed to the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel.

VLAN: Specify the non-default VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. ID to which the guest traffic needs to be redirected to.

Destination

Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

to all destinations— Access is allowed or denied to all destinations.

to a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.

except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.

to a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for the destination network.

except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. of the destination network.

to domain name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.

Log

Select the Log check box if you want a log entry to be created when this rule is triggered. Instant supports firewall-based logging. FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. logs on the Instant APs are generated as security logs.

Blacklist

Select the Blacklist check box to blacklist the client when this rule is triggered. The blacklisting lasts for the duration specified as Auth failure blacklist time on the Blacklisting tab of the Security window. For more information, see Blacklisting Clients.

Disable scanning

Select Disable scanning check box to disable ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.

The selection of Disable scanning applies only if ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning is enabled. For more information, see Configuring Radio Settings.

DSCP tag

Select the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag check box to specify a DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value to prioritize traffic when this rule is triggered. Specify a value within the range of 0–63. To assign a higher priority, specify a higher value.

802.1p priority

Select the 802.1p priority check box to specify an 802.1p priority. Specify a value between 0 and 7. To assign a higher priority, specify a higher value.

NOTE: This parameter is applicable only for VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. tagged frames.

6. Click OK in the New Rule window and then click Save.

In the CLI

To configure access rules:

(Instant AP)(config)# wlan access-rule <access-rule-name>

(Instant AP)(Access Rule <Name>)#rule <dest> <mask> <match/invert> {<protocol> <start-port> <end-port> {permit|deny|src-nat [vlan <vlan_id>|tunnel]|dst-nat{<IP-address> <port>|<port>}}[<option1....option9>]

Example

(Instant AP)(config)# wlan access-rule employee

(Instant AP)(Access Rule "employee")# rule 10.17.88.59 255.255.255.255 match 6 4343 4343 log

(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 110 110 permit

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 match tcp 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 192.0.2.7 255.255.255.0 match udp 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.2 255.255.255.0 match 6 631 631 permit

(Instant AP)(Access Rule "employee")# rule 192.0.2.8 255.255.255.255 invert 6 21 21 deny

(Instant AP)(Access Rule "employee")# rule 192.0.2.1 255.255.255.0 invert 17 67 69 deny

/*]]>*/