How to configure and use AppRF in Aruba Instant?

Aruba Employee

Introduction:

 

AppRF helps improve Network Administrator's control over the network by using the knowledge of traffic pattern to classify Internal or external traffic.

 

Feature Notes :

 

This Feature called AppRF 2.0 in AOS is introduced in IAP from Instant OS 4.1.

 

Environment :

 

AppRF can be useful in environment where traffic whose source or destination IP can be dynamic as in case of most of web traffic and traditional static ACLs may not be effective.

 

Network Topology :

 

Internet ========= IAP Swarm )))))) Client

 

Configuration Steps :

 

 

  1. Create an SSID. Say Corp-SSID.

 

rtaImage.jpg

2. Select suitable VLAN and Security options.
3. in "Access" section, change the Control option to "Role based" or "Network Based".
rtaImage.jpg
4. a. Choose either "Application" or "Application Category" for making use of AppRF. Incase of "Application" choose the corresponding application you would like to control and the necessary action. In the below example we have searched for Youtube and choosen various traffic pattern associated with Youtube.
rtaImage.jpg
4. b. Under AppRF one can also choose the "Action" and bandwidth control under "Application Throttling". Once Application Throttling is chosen, upstream and downstream allowable traffic can also be chosen.
rtaImage.jpg
4. c. Rules can also be made based on "Application category", as shown below.
rtaImage.jpg
 
Verification:

The newly created Role can be verified both in GUI as well as CLI.

The ACLs in the role can be seen from Security tab > Roles.

rtaImage.jpg

The same can also be viewed from CLI with the below command:




rtaImage.jpg

Troubleshooting:
 
Check if client is falling on to the correct role.

18:64:72:c8:20:16#   sho clients

Client List
-----------
Name      IP Address     MAC Address        OS     Network    Access Point       Channel  Type  Role       Signal    Speed (mbps)
----      ----------     -----------        --     -------    ------------       -------  ----  ----       ------    ------------
aruba-PC  10.17.164.141  a4:4e:31:75:0b:fc  Win 7  Corp-SSID  18:64:72:c2:43:84  52+      AN    Corp-SSID  46(good)  270(good)
Number of Clients   :1
Info timestamp      :11789
18:64:72:c8:20:16#



When Client is trying to access Youtube, below logs in datapath session can be seen:

18:64:72:c2:43:84# show datapath session
Datapath Session Table Entries

------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       I - Deep inspect, U - Locally destined
       s - media signal, m - media mon, a - rtp analysis
       E - Media Deep Inspect, G - media signal
       A - Application Firewall Inspect
RAP Flags: 0 - Q0, 1 - Q1, 2 - Q2, r - redirect to master

Source IP         Destination IP  Prot SPort Dport Cntr Prio ToS Age Destination TAge  Flags
----------------  --------------  ---- ----- ----- ---- ---- --- --- ----------- ---- -----
10.17.164.83      10.17.164.143   6    22    65014 0    0    4   0   dev3        86
10.17.164.200     224.0.0.18      112  0     0     0    0    4   0   dev3        db6f FC
10.17.164.143     10.17.164.83    6    65014 22    0    0    0   0   dev3        86   C
A4:4E:31:75:0B:FC               0806             0    0    0   0   dev12       50   F
10.17.164.143     239.255.255.250 17   49540 1900  0    0    0   0   dev3        139  FC
10.17.164.141     239.255.255.250 17   57332 1900  0    0    24  0   dev12       1d   FC
10.17.164.141     74.125.236.34   6    52863 80    0    0    24  0   dev12       d    FDC
10.17.164.141     74.125.236.34   6    52862 80    0    0    24  0   dev12       d    FDC
10.17.164.254     10.17.164.141   1    41985 1280  0    0    0   0   dev3        d    FDYC
10.17.164.83      10.17.164.145   17   8211  8211  0    0    0   0   local       dbb2 FC
10.17.164.145     10.17.164.83    17   8211  8211  0    0    0   0   local       dbb2 F
74.125.236.34     10.17.164.141   6    80    52863 0    0    0   0   dev12       d    FD
74.125.236.34     10.17.164.141   6    80    52862 0    0    0   0   dev12       d    FD
10.17.164.255     10.17.164.143   17   137   137   0    0    0   1   dev3        2d   FY
10.17.164.143     10.17.164.255   17   137   137   0    0    0   1   dev3        2d   FC
18:64:72:c2:43:84#

Also one can check the ACL hits with the below command:

18:64:72:c2:43:84# sho datapath acl-rule-detail 136
ACL 136 Content:
-----------------------
Rule 1
----------
Version        : IPv4
Match Method   : match
  Source       : ANY port 0-65535
  Destination  : ANY port 8209-8211|unknown
  Protocol     : udp
Action         : permit
Options        : -
AP Group       : 0
Stat           : hits 0

Rule 2
----------
Version        : IPv4
Match Method   : match
  Source       : ANY port 0-65535
  Destination  : ANY port 8209-8211|unknown
  DPI App  : app youtube
Action         : deny
Options        : -
AP Group       : 0
Stat           : hits 23


Rule 3
----------
Version        : IPv4
Match Method   : match
  Source       : ANY port 0-65535
  Destination  : ANY port 8209-8211|unknown
  DPI App  : app youtube-hd
Action         : deny
Options        : -
AP Group       : 0
Stat           : hits 0

Rule 4
----------
Version        : IPv4
Match Method   : match
  Source       : ANY port 0-65535
  Destination  : ANY port 8209-8211|unknown
  DPI App  : app facebook
Action         : permit
Options        : throttle-upstream 9 throttle-downstream 10
AP Group       : 0
Stat           : hits 27
 
 

 

Version history
Revision #:
1 of 1
Last update:
‎11-10-2014 03:35 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: