Configuring ACLs for Deep Packet Inspection

To configure ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role for Deep Packet Inspection (DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. ), complete the following procedure:

  1. In the WebUI, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click Show Advanced.
  5. Click the Security tab.

    The Security page is displayed.

  6. Under Roles, select the role for which you want to configure access rules.
  7. Under Access Rules For Selected Roles, click + to add a new rule.

    The Access Rule window is displayed.

  8. Under Rule Type, select Access Control.
  9. To configure access to applications or application categories, select a service category from the following list:
    • Network
    • App Category
    • Application
    • Web Category
    • Web Reputation
  10. Based on the selected service category, configure the following parameters:

    Table 1: Access Rule Configuration Parameters

    Service category

    Description

    App Category

    Select the application categories to which you want to allow or deny access.

    Application

    Select the applications to which you want to allow or deny access.

    Application Throttling

    Application throttling allows you to set a bandwidth limit for an application, application category, web category, or for sites based on their web reputation. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high-risk sites. If your IAP model does not support configuring access rules based on application or application category, you can create a rule based on web category or website reputation and assign the bandwidth rates.

    To specify a bandwidth limit:

    1. Select the Application Throttling check box.
    2. Specify the Downstream and Upstream rates in Kbps.

    Application throttling value range for Downstream and Upstream must be a number in a range between 1-2147482 Kbps.

    Action

    Select one of the following actions:

    • Destination-NAT—Translation of the destination IP address of a packet entering the network.
    • Source-NAT—Used by internal users to access the internet.
    • Allow—Select Allow to allow access users based on the access rule.
    • Deny—Select Deny to deny access to users based on the access rule.

    Destination

    Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.

    • To all destinations— Access is allowed or denied to all destinations.
    • To a particular server—Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
    • Except to a particular server—Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
    • To a network—Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
    • Except to a network—Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
    • To a Domain Name—Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the Domain Name text box.
    • To AP IP—Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the IP text box.
    • To AP Network—Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the IP text box.
    • To conductor IP—Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the IP text box.

    Log

    Select this check box if you want a log entry to be created when this rule is triggered. HPE Aruba Networking Central supports firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. based logging. Firewall logs on the IAPs are generated as security logs.

    Denylist

    Select the Denylist check box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as Auth failure denylist time on the Denylisting tab of the Security window. For more information, see, Denylisting IAP Clients.

    Classify Media

    Select the Classify Media check box to classify and tag media on https traffic as voice and video packets.

    Disable Scanning

    Select Disable Scanning check box to disable ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.

    The selection of the Disable Scanning applies only if ARM scanning is enabled. For more information, see Configuring Radio Parameters.

    DSCP Tag

    Select this check box to add a DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. on the network. To assign a higher priority, specify a higher value.

    802.1p priority

    Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.

    Time Range

    Select this check box to enable user to access network for a specific time period. You can select the time range profile from the drop-down list that appears when the Time Range check box is selected. For more information on time range profiles, see Configuring Time-Based Services for Wireless Network Profiles.

  11. Click Save.