Controller Based WLANs

What is Global Session ACL in AppRF?

by on ‎06-30-2014 02:25 AM

Environment         In AOS 6.4, on enabling Deep packet inspection, below behaviour is seen.
Answer                   A Global-Sacl is an ACL:      


    Placed at the beginning of every user role configured
    Position 1
    Will be empty by default and can be edited. Eg- if one wants to disable bittorrent globally for all roles.
    Will not allow any ACL to be placed in position 1



(Abilash-Lab-Cont-master-6.4) #show ip access-list global-sacl

ip access-list session global-sacl
global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------

(Abilash-Lab-Cont-master-6.4) #

It can be seen from the below output that all user created roles on controller has this Global-sacl.

(Abilash-Lab-Cont-master-6.4) #show rights

RoleTable
---------
Name              ACL  Bandwidth                                                              ACL List                                                                                                                                                     Type
----              ---  ---------                                                              --------                                                                                                                                                     ----
Corporate-role    78   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-Corporate-role-sacl/,social-network-policy/,allowall/                                                                                     User
IAP-role          82   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-IAP-role-sacl/,IAP-role/                                                                                                                  User
ap-role           6    Up: No Limit,Dn: No Limit                                              ra-guard/,control/,ap-acl/,v6-control/,v6-ap-acl/                                                                                                            System
app-rf-role       68   Up: Traditional-BW-cont (per role),Dn: Traditional-BW-cont (per role)  global-sacl/,apprf-app-rf-role-sacl/,Youtube/,blogger/,facebook/,ipv6-allowall/                                                                              User
authenticated     72   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-authenticated-sacl/,ra-guard/,allowall/,v6-allowall/                                                                                      User
cpbase            71   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-cpbase-sacl/                                                                                                                              User
default-via-role  67   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-default-via-role-sacl/,allowall/                                                                                                          User
default-vpn-role  70   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-default-vpn-role-sacl/,ra-guard/,allowall/,v6-allowall/                                                                                   User
denyall           73   Up: No Limit,Dn: No Limit                                                                                                                                                                                                           User
guest             4    Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-guest-sacl/,ra-guard/,http-acl/,https-acl/,dhcp-acl/,icmp-acl/,dns-acl/,v6-http-acl/,v6-https-acl/,v6-dhcp-acl/,v6-icmp-acl/,v6-dns-acl/  User
guest-logon       9    Up: No Limit,Dn: No Limit                                              ra-guard/,logon-control/,captiveportal/,v6-logon-control/,captiveportal6/                                                                                    User
logon             2    Up: No Limit,Dn: No Limit                                              ra-guard/,logon-control/,captiveportal/,vpnlogon/,v6-logon-control/,captiveportal6/                                                                          User
stateful-dot1x    7    Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-stateful-dot1x-sacl/                                                                                                                      System
sys-ap-role       10   Up: No Limit,Dn: No Limit                                              sys-control/,sys-ap-acl/                                                                                                                                     System (not editable)
test-no-app       76   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-test-no-app-sacl/                                                                                                                         User
voice             69   Up: No Limit,Dn: No Limit                                              global-sacl/,apprf-voice-sacl/,ra-guard/,sip-acl/,noe-acl/,svp-acl/,vocera-acl/,skinny-acl/,h323-acl/,dhcp-acl/,tftp-acl/,dns-acl/,icmp-acl/                 User

Total Roles:16

(Abilash-Lab-Cont-master-6.4) #



One can edit a Global-Sacl. Below is an example where all Intranet traffic is permitted, but youtube and bittorrent are disabled for all user created roles.

(Abilash-Lab-Cont-master-6.4) (config) #ip access-list session global-sacl
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#any any app intranet permit
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#any any app youtube deny
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#any any app bittorrent deny
(Abilash-Lab-Cont-master-6.4) (config-sess-global-sacl)#exit
(Abilash-Lab-Cont-master-6.4) (config) #write mem
Saving Configuration...

Configuration Saved.

(Abilash-Lab-Cont-master-6.4) (config) #exit
(Abilash-Lab-Cont-master-6.4) #show ip access-list global-sacl

ip access-list session global-sacl
global-sacl
-----------
Priority  Source  Destination  Service  Application     Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------     ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any                   app intranet    permit                           Low                                                           4
2         any     any                   app youtube     deny                             Low                                                           4
3         any     any                   app bittorrent  deny                             Low                                                           4




(Abilash-Lab-Cont-master-6.4) #

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.