Link Search Menu Expand Document

Access Lists Tab

Configuration > Templates & Policies > Policies > ACLs > Access Lists

This tab lists the configured Access Control List (ACL) rules. An ACL is a reusable MATCH criteria for filtering flows. It is associated with an action: permit or deny. An ACL can be a MATCH condition in more than one policy—Route, QoS, or Optimization.

Field Description
Appliance Name of the appliance selected.
ACLs Access Control Lists. A list of one or more ordered access control rules.

NOTE: An ACL only becomes active when it is used in a policy.
Priority For ACL rules, you can set the priority to a value within the range 1 to 65535. When adding a rule, the priority is incremented by ten from the previous rule. You can change the priority, but this default behavior helps ensure that you can insert new rules without having to change subsequent priorities.
Match Criteria Configured ACL match criteria associated to the appliance. See below for more information about Match Criteria.
Permit Whether the ACL is set to Permit or Deny.

Permit allows the matching traffic flow to proceed to the policy entry’s associated SET actions.

Deny prevents further processing of the flow by that ACL, specifically. The appliance continues to the next entry in the policy.
Comment Any additional information about the ACL.

Click the edit icon to make add, delete, or modify rules to your ACLs.

Match Criteria

  • These are universal across all policy maps—Route, QoS, Optimization, NAT (Network Address Translation), and Security.

  • If you expect to use the same match criteria in different maps, you can create an ACL (Access Control List), which is a named, reusable set of rules. For efficiency, create them in Configuration > Templates & Policies > ACLs > Access Lists, and apply them across appliances.

  • The available parameters are Application, Address Map (for sorting by country, IP address owner, or SaaS application), Domain, Geo Location, Interface, Protocol, DSCP, IP/Subnet, Port, Traffic Behavior Overlay, Fabric or Internet, and User Role (the User Role as specified in the authentication exchange with the ClearPass RADIUS server).

    NOTE: User Role options include the RADIUS User Role, User Name, User Group, User Device, or User MAC. Configuring User Role match criteria enables an EdgeConnect to automatically assign traffic steering and firewall zone policies.

    NOTE: Additional attributes under the Address Map parameter can be used as match criteria. These attributes are secondary parameters to the address map, so the attributes are evaluated for a policy match only when the configured address map parameter matches the flow. To configure these attributes, click +Attributes.

  • To specify different criteria for inbound versus outbound traffic, select the Source:Dest check box.

    NOTE: Source and destination role-based policies can be configured when both source and destination users are in the same network.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, is not supported. Use either or

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.

Access Lists Edit Row

The Access Lists dialog box lists the configured Access Control List (ACL) rules.

You can add, delete, or rename an ACL by clicking the buttons at the top of this dialog box. You can also add rules to an ACL.

  1. Click Add Rule.

  2. Enter a priority value.

  3. Click the edit icon to configure the match criteria. The Match Criteria dialog box opens and you can specify the match criteria. Click More Options to apply more rules.

  4. Select if you want to Permit or Deny traffic in the ACL.

  5. Enter any comments if you decide to do so.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America