Q:
How do we verify if scanning is being paused in Aruba Instant?
A:
"Disable Scanning" is an option present in the user-role which stops ARM from scanning when the configured acl is hit.
84:d4:7e:c3:d9:02# show access-rule IAP-SSID
Access Rules
------------
Dest IP Dest Mask Eth Type Dest Match Protocol (id:sport:eport) Application Action Log TOS 802.1P Blacklist App Throttle (Up:Down) Mirror DisScan ClassifyMedia
------- --------- -------- ---------- ------------------------- ----------- ------ --- --- ------ --------- ---------------------- ------ ------- -------------
any any IPv4/6 match sips permit Yes Yes
any any IPv4/6 match any permit
Vlan Id :0
ACL Captive Portal:disable
ACL ECP Profile :default
CALEA :disable
DPI error page URL:
Bandwidth Limit :downstream disable upstream disable
84:d4:7e:c3:d9:02# show clients
Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------ ------------
khils-iPhone 172.31.98.146 d8:1d:72:7d:75:67 IAP-SSID 84:d4:7e:c3:d9:02 36E AC IAP-SSID 11(poor) 195(good)
Number of Clients :1
Info timestamp :3136
84:d4:7e:c3:d9:02# show datapath user
Datapath User Table Entries
---------------------------
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM
R - ProxyARP to User, N - VPN, L - local, I - Intercept, D - Deny local routing
FM(Forward Mode): S - Split, B - Bridge, N - N/A
IP MAC ACLs Contract Location Age Sessions Flags Vlan FM MediaSessCnt
--------------- ----------------- ------- --------- -------- ----- --------- ----- ---- -- ------------
0.0.0.0 84:D4:7E:C3:D9:02 105/0 0/0 0 0 2/65535 P 1 N 0
0.0.0.0 D8:1D:72:7D:75:67 136/0 0/0 0 0 0/65535 P 3333 B 0
10.17.169.93 84:D4:7E:C3:D9:02 105/0 0/0 0 0 2/65535 P 1 N 0
172.31.98.146 D8:1D:72:7D:75:67 136/0 0/0 0 0 5/65535 3333 B 0
172.31.98.1 84:D4:7E:C3:D9:02 105/0 0/0 0 0 0/65535 P 3333 B 0
84:d4:7e:c3:d9:02# show datapath acl 136
Datapath ACL 136 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
A - Disable Scanning, B - black list, T - set TOS, t - time based, o - tunnel only
K - App Throttle, s - Domain SA, d - Domain DA, 4 - IPv4, 6 - IPv6
----------------------------------------------------------------
1: any any 17 0-65535 8209-8211 P4
2: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 6 0-65535 5061-5061 PCA4
3: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 6 0-65535 5061-5061 PCA4
4: 172.31.98.0 255.255.254.0 any 6 0-65535 5061-5061 10.17.169.93 PSCA4
5: any any 6 0-65535 5061-5061 PCA4
6: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 any P4
7: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 any P4 hits 1
8: 172.31.98.0 255.255.254.0 any any 10.17.169.93 PS4 hits 16
9: any any any P4
10: any any any Pe4 hits 1
When traffic hits the acl we can see "hits" increasing.
84:d4:7e:c3:d9:02# show datapath acl 136
Datapath ACL 136 Entries
-----------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
A - Disable Scanning, B - black list, T - set TOS, t - time based, o - tunnel only
K - App Throttle, s - Domain SA, d - Domain DA, 4 - IPv4, 6 - IPv6
----------------------------------------------------------------
1: any any 17 0-65535 8209-8211 P4
2: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 6 0-65535 5061-5061 PCA4 hits 18
3: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 6 0-65535 5061-5061 PCA4
4: 172.31.98.0 255.255.254.0 any 6 0-65535 5061-5061 10.17.169.93 PSCA4
5: any any 6 0-65535 5061-5061 PCA4 hits 10
6: 172.31.98.0 255.255.254.0 172.31.98.0 255.255.254.0 any P4 hits 11
7: 172.31.98.0 255.255.254.0 224.0.0.0 224.0.0.0 any P4 hits 12
8: 172.31.98.0 255.255.254.0 any any 10.17.169.93 PS4 hits 778
9: any any any P4 hits 5
10: any any any Pe4 hits 14
84:d4:7e:c3:d9:02# show aps scanning
AP Scanning Stats
-----------------
Name IP Address 2.4 Reqs 2.4 Voice Rejs 2.4 Video Rejs 5.0 Reqs 5.0 Voice Rejs 5.0 Video Rejs
---- ---------- -------- -------------- -------------- -------- -------------- --------------
84:d4:7e:c3:d9:02 10.17.169.93 418 1 0 408 4 0
84:d4:7e:c3:d9:02# show ap debug radio-stats 0 | include Voice
Voice aware Scan Rejects 4
The value "4" represents that 4 times the Scanning was deferred from happening. Scan Interval is 10 seconds for both the radios.