Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

ACL Rules

Overview

Subnet-based access control for Apstra GUI access (whitelisting) is introduced in Apstra version 4.1.2 as part of a platform security enhancement. You can configure Access Control List (ACL) rules for IPv4 networks. (IPv6 is not supported on the Apstra web framework.) When you create and enable rules, the rules are automatically sorted from more specific to less specific, and IP addresses are checked against them in that order. If the rule allows access to a subnet, any IP address within that subnet is allowed access. If the rule denies access to a subnet, any IP address within that subnet is denied access.

Enable / Disable ACL Rules

Access control list rules are disabled by default.

If you enable ACL rules, make sure you always add a rule to allow access to a subnet that your IP address is a part of, so you don't lock yourself out.

If you enable ACL rules, and the default rule (0.0.0.0/0) is set to deny, the Apstra UI and system agents can't make necessary REST API calls to the Apstra controller unless you add a rule to allow access from loopback (127.0.0.0/8) and docker (172.17.0.0/16) networks.

  1. From the left navigation menu, navigate to Platform > Security > ACL to go to the table view.
  2. Click the toggle to enable or disable the rules, as applicable.

Add ACL Rule

  1. From the left navigation menu, navigate to Platform > Security > ACL and click Add ACL rule.
  2. Enter an IP subnet and select whether to allow or deny access to IP addresses within that subnet. You also have the option of adding a comment.
  3. Click Create to create the rule and return to the table view.

Edit ACL Rule

  1. From the left navigation menu, navigate to Platform > Security > ACL and click the Edit button for the rule to edit.
  2. Change the policy, as applicable. You also have the option of adding/editing/deleting a comment.
  3. Click Update to change the rule and return to the table view.

Delete ACL Rule

So that an IP address eventually matches to a subnet, 0.0.0.0/0 can't be deleted..

  1. From the left navigation menu, navigate to Platform > Security > ACL and click the Delete button for the rule to delete.
  2. Click Delete to delete the rule and return to the table view.