To configure ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rules for a user role for Deep Packet Inspection (DPI Deep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. ), complete the following procedure:
- In the Aruba Central app, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
A list of APs is displayed in theview.
, click > .
- Click the
The tabs to configure the APs are displayed.
- Click .
- Click the
The Security page is displayed.
- Under , select the role for which you want to configure access rules.
The Access Rule window is displayed.
, click to add a new rule.
- Under , select
- To configure access to applications or application categories, select a service category from the following list:
- App Category
- Web Category
- Web Reputation
- Based on the selected service category, configure the following parameters:
Table 1: Access Rule Configuration Parameters
Select the application categories to which you want to allow or deny access.
Select the applications to which you want to allow or deny access.
Application throttling allows you to set a bandwidth limit for an application, application category, web category, or for sites based on their web reputation. For example, you can limit the bandwidth rate for video streaming applications such as YouTube or Netflix, or assign a low bandwidth to high-risk sites. If your IAP model does not support configuring access rules based on application or application category, you can create a rule based on web category or website reputation and assign the bandwidth rates.
To specify a bandwidth limit:
- Select the check box.
- Specify the and rates in Kbps.
Application throttling value range forand must be a number in a range between 1-2147482 Kbps.
Select one of the following actions:
- —Translation of the destination IP address of a packet entering the network.
- —Used by internal users to access the internet.
- —Select to allow access users based on the access rule.
- —Select to deny access to users based on the access rule.
Select a destination option for the access rules for network services, applications, and application categories. You can allow or deny access to any the following destinations based on your requirements.
- — Access is allowed or denied to all destinations.
- —Access is allowed or denied to a particular server. After selecting this option, specify the IP address of the destination server.
- —Access is allowed or denied to servers other than the specified server. After selecting this option, specify the IP address of the destination server.
- —Access is allowed or denied to a network. After selecting this option, specify the IP address and netmask for the destination network.
- —Access is allowed or denied to networks other than the specified network. After selecting this option, specify the IP address and netmask of the destination network.
- —Access is allowed or denied to the specified domains. After selecting this option, specify the domain name in the text box.
- —Traffic to the specified IAP is allowed. After selecting this option, specify the domain name in the text box.
- —Traffic to the specified IAP network is allowed. After selecting this option, specify the domain name in the text box.
- —Traffic to the specified conductor IAP or virtual controller is allowed. After selecting this option, specify the domain name in the text box.
Select this check box if you want a log entry to be created when this rule is triggered. Aruba Central supports firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. based logging. Firewall logs on the IAPs are generated as security logs.
Select thecheck box to denylist the client when this rule is triggered. The denylisting lasts for the duration specified as on the tab of the window.
For more information, see, Denylisting IAP Clients.
Select thecheck box to classify and tag media on https traffic as voice and video packets.
Select ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning when this rule is triggered.check box to disable
The selection of theapplies only if ARM scanning is enabled.
For more information, see Configuring Radio Parameters.
Select this check box to add a DSCP Differentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. tag to the rule. DSCP is an L3 mechanism for classifying and managing network traffic and providing QoS Quality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. on the network. To assign a higher priority, specify a higher value.
Select this check box to enable 802.1p priority. 802.1p priority is an L2 protocol for traffic prioritization to manage QoS on the network. There are eight levels of priority, 0-7. To assign a higher priority, specify a higher value.
Select this check box to enable user to access network for a specific time period. You can select the time range profile from the drop-down list that appears when thecheck box is selected.
For more information on time range profiles, see Configuring Time-Based Services for Wireless Network Profiles.
- Click .