Configuring Access Policies on AOS-S Switches

To restrict certain types of traffic on physical ports of AOS-S switches, you can configure ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the Aruba Central UI.

To create an access policy, complete the following steps:

  1. In the Aruba Central app, select one of the following options:
    • To select a switch group in the filter:
      1. Set the filter to a group containing at least one switch.
        The dashboard context for the group is displayed.
      2. Under Manage, click Devices > Switches.
      3. Click the AOS-S Config or Config icon to view the switch configuration dashboard.
    • To select a switch in the filter:
      1. Set the filter to Global or a group containing at least one switch.
      2. Under Manage, click Devices > Switches.
        A list of switches is displayed in the List view.
      3. Click a switch under Device Name.
        The dashboard context for the switch is displayed.
      4. Under Manage, click Device.
        The tabs to configure the switch is displayed.
  2. Click Security > Access Policy. The Access Policy page is displayed.
  3. Click + to add a new access policy. The New Access Policy page is displayed.
  4. Enter a name for the policy.
  5. Click Add.
  6. To add a rule to the access policy, click + under Rules for test, and configure the following parameters:

    Table 1: Configuring Rules for Access Policies





    Select a source of the traffic for which you want to an access rule.

    Any, Network, or Host

    For Network, specify IP address and Wildcard mask

    For Host, specify IP address


    Select a destination.

    Any, Network, or Host

    For Network, specify IP address and mask

    For Host, specify IP address


    Select the type of protocol from the drop-down. If you select SCTP Stream Control Transmission ProtocoL. SCTP is a transport-layer protocol that ensures reliable, in-sequence transport of data., TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , or UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., the source ports and destination ports fields are displayed.

    Protocol types-GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network., ESP Encapsulating Security Payload. The ESP protocol provides data confidentiality (encryption) and authentication (data integrity, data origin authentication, and replay protection)., AH Authentication Header. The AH protocol provides a mechanism for authentication only. AH provides data integrity, data origin authentication, and an optional replay protection service., OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS)., PIM Protocol-Independent Multicast. PIM refers to a family of multicast routing protocols for IP networks that provide one-to-many and many-to-many distribution of data over a LAN, WAN, or the Internet., VRRP Virtual Router Redundancy Protocol. VRRP is an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN., ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets., IGMP Internet Group Management Protocol. Communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships., IP, SCTP, TCP, UDP, IP_IN_IP and IPv6_IN_IP.


    The action that the switch must perform on the traffic received at a port.

    Permit or Deny

  7. Click OK.
  8. Click Save Settings.

The access policies must be applied to a switch port and the VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. assigned to a port. For more information on access policy assignment to ports and VLANs, see the following topics: