Link Search Menu Expand Document

Access Lists Template

Use this page to create, modify, delete, and rename Access Control Lists (ACLs).

img

An ACL is a reusable MATCH criteria for filtering flows.

NOTE: All selected match criteria options are ANDed to form the final match specification. For example, if you select Application Group and Application, both specifications are used to determine how the policy is applied. Review the summary of your match criteria at the bottom of this dialog.

Click More Options and More User Profile Options to display more match criteria selections. The More User Profile Options displays match criteria for identity-based traffic monitoring (User MAC, User Name, User Device, User Group, and User Vlan). For more information on these options, see HPE Aruba Networking SD-WAN Identity-Based Traffic Management User Guide.

It is associated with an action, permit or deny. You can use the same ACL as the MATCH condition in more than one policy: Route, QoS, Optimization, or NAT.

  • An ACL consists of one or more ordered access control rules.

  • An ACL only becomes active when it is used in a policy.

  • Deny prevents further processing of the flow by that ACL, specifically. The appliance continues to the next entry in the policy.

  • Permit allows the matching traffic flow to proceed on to the policy entry’s associated SET actions. The default is permit.

  • When creating ACL rules, list deny statements first, and prioritize less restrictive rules ahead of more restrictive rules.

Priority

  • For ACL rules, you can set the priority to a value within the range 1 to 65535. When adding a rule, the priority is incremented by ten from the previous rule. You can change the priority, but this default behavior helps ensure that you can insert new rules without having to change subsequent priorities.

Match Criteria

  • To specify different criteria for inbound versus outbound traffic, select the Source:Dest check box.

Source or Destination

  • An IP address can specify a subnet - for example: 10.10.10.0/24.

  • To allow any IP address, use 0.0.0.0/0.

  • Ports are available only for the protocols tcp, udp, and tcp/udp.

  • To allow any port, use 0.

Wildcard-based Prefix Matching Rules

  • Even when using a range or a wildcard, the IPv4 address must be specified in the 4-octet format, separated by the dot notation. For example, A.B.C.D.

  • Range is specified using a single dash. For example, 128-129.

  • Wildcard is specified as an asterisk (*).

  • Range and Wildcard can both be used in the same address, but an octet can only contain one or the other. For example, 10.136-137.*.64-95.

  • A wildcard can only be used to define an entire octet. For example, 10.13*.*.64-95 is not supported. Use 10.130-139.*.64-95 to specify this range.

  • The same rules apply to IPv6 addressing.

  • CIDR notation and (Range or Wildcard) are mutually exclusive in the same address. For example, 192.168.0.1-127/24 is not supported. Use either 192.168.0.0/24 or 192.168.0.1-127.

  • These prefix-matching rules apply to the following policies only: Route, QoS, Optimization, NAT, Security, and ACLs.


Back to top

© Copyright 2025 Hewlett Packard Enterprise Development LP.

For third-party trademark acknowledgements, go to Trademark Acknowledgements. All third-party marks are property of their respective owners.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at https://myenterpriselicense.hpe.com/cwp-ui/software but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America