Controller Based WLANs

How to configure an user role with AppRF ACL?

by on ‎07-08-2014 03:27 PM

Introduction : AppRF is application aware deep packet inspection technology introduced by Aruba Networks from AOS version 6.4.

This brings in the capability to create ACLs based on application rather than the traditional source, destination IP & port numbers.

In addition to just application name, applications can also be grouped under a category called application category and policies can be created for these Application categories, eg: Instant messaging - Application category, which will include Skype and gtalk.

 

Feature Notes : Currently AppRF supports around 1415 application categorization.

 

Environment : This feature can be used under scenarios which requires granular application level control over network usage.

 

Network Topology : Controller========AP ))))) Wireless client
|
|
Wired clients

 

Configuration Steps : 1) Create an ACL using AppRF. For example create an ACL for allowing Facebook and blocking gmail and youtube.

(Abilash-Lab-Cont-master-6.4) (config) #
(Abilash-Lab-Cont-master-6.4) (config) # ip access-list session facebook
(Abilash-Lab-Cont-master-6.4) (config-sess-facebook)#any any app facebook permit
(Abilash-Lab-Cont-master-6.4) (config-sess-facebook)#  any any app gmail deny
(Abilash-Lab-Cont-master-6.4) (config-sess-facebook)#  any any app youtube deny
(Abilash-Lab-Cont-master-6.4) (config-sess-facebook)#  any any any  permit
(Abilash-Lab-Cont-master-6.4) (config-sess-facebook)#

2) Bind this ACL to an user role

(Abilash-Lab-Cont-master-6.4) (config) #user-role app-rf-role
(Abilash-Lab-Cont-master-6.4) (config-role) #ip access-list session facebook
(Abilash-Lab-Cont-master-6.4) (config-sess-facebook)#exit


3) Check the user role

(Abilash-Lab-Cont-master-6.4) #show rights app-rf-role

Derived Role = 'app-rf-role'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 ACL Number = 62/0
 Max Sessions = 65535


Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                    Type     Location
--------  ----                    ----     --------
1         global-sacl             session  
2         apprf-app-rf-role-sacl  session  
3         facebook                session  
4         ipv6-allowall           session  

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-app-rf-role-sacl
----------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
facebook
--------
Priority  Source  Destination  Service  Application   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any                   app facebook  permit                           Low                                                           4        
2         any     any                   app gmail     deny                             Low                                                           4        
3         any     any                   app youtube   deny                             Low                                                           4        
4         any     any          any                    permit                           Low                                                           4        
ipv6-allowall
-------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any-v6                permit                           Low                                                           6        

Expired Policies (due to time constraints) = 0

(Abilash-Lab-Cont-master-6.4) #
(Abilash-Lab-Cont-master-6.4) #

 

Answer : Once the user falls in to the role configured with AppRF acl, deep inspection for the client traffic is started.

apprf - user


To check if the user traffic is getting hit on the AppRF Acl, below command can be used:

apprf acl

 

Verification : A Pictorial representation of the Applications used by user based on AppRF is provided in the WebUI of controller.

apprf webui

 

Troubleshooting : While troubleshooting ACL hits can be used to see if the policy is getting hit.

acl

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.