Introduction-
- Stateless ACLs were introduced as a complement to session ACL on controller
- Actions like black-list, time-range, position and log are supported in stateless ACLs
- Qos-profile and policer-profile can be attached to the stateless ACL
- Following options supported for defining the ACL
- alias : Match addressed defined in the alias
- any : Match any IPv4 source traffic
- host : Match a single IPv4 host address
- network : Match IPv4 subnet
Environment- No special environment applied to this configuration
Network Topology- Network Topology is not applied to this config.
Configuration Steps- Configuration
Create Stateless ACL
(MAS3500) (config) #ip access-list stateless stateless_acl1
(MAS3500) (config-stateless-stateless_acl1)#host 192.168.1.1 network 10.1.1.0 255.255.255.0 svc-http permit
(MAS3500) (config-stateless-stateless_acl1)#any any udp 53 deny
Apply ACL in Ingress direction on an interface
(MAS3500) (config) #interface gigabitethernet 0/0/0
(MAS3500) (gigabitethernet "0/0/0") #ip access-group in stateless_acl1
Apply ACL in Egress direction on interface
(MAS3500) (config) #interface gigabitethernet 0/0/0
(MAS3500) (gigabitethernet "0/0/0") #ip access-group out stateless_acl1
Apply ACL to user-role
(MAS3500) (config) #user-role test
(MAS3500) (config-role) #access-list stateless stateless_acl1
MAS3500) (config) #user-role test
(MAS3500) (config-role) #access-list stateless stateless_acl1
(MAS3500) # show user-table
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type
---------- ----------------------- --------- ------ --------------- ------ ------------ ----------- ----------- --------------------- -------- ------------ ----
192.168.1.1 00:01:05:00:03:00 test 00:00:09 0/0/0 Wired p1 tunnel
User Entries: 1/1
(MAS3500) # show rights test
Derived Role = 'test'
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 41/0/42 <<<<<ACL number is 42
Max Sessions = 65535
access-list List
----------------
Position Name Type Location
----------- -------- ------------ --------
1 stateless_acl1 stateless
stateless_acl1
--------------
Priority Source Destination Service Action TimeRange Log Expired QoS Policer Blacklist Mirror IPv4
---------- --------- ----------- ---- ----------- -------- -------------- ----- ---------- ----- ---------- ----------- -------- ----
1 192.168.1.1 10.1.1.0 255.255.255.0 svc-http permit 4
2 any any udp 53 deny 4
Expired Policies (due to time constraints) = 0
MAS3500) #show acl acl-table
AclTable
--------
ACL Type ACE Index Rule Count Ace Count Name Applied
----- ------ ------------- -------------- ------------- -------- ---------
1 role 0 0 1 logon 0
2 role-stateless 86 4 5 logon 0
……….
40 stateless 248 2 3 stateless_acl1 1 <<<<<<<<<<<<<<<<<<<< ACL Index=40
(MAS3500) #show acl acl-table | include stateless_acl1
40 stateless 248 2 3 stateless_acl1 1
Stateless ACL on MAS
Uni-directional –
ACL rules govern traffic in forward direction.
Traffic in reverse direction is unconditionally permitted.
Network classification options supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#?
alias Match a IPv4 network resource
any Match any IPv4 source traffic
host Match a single IPv4 host address
network Match IPv4 subnet
no Delete Command
Actions supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#any any any ?
deny Specify packets to reject
permit Specify packets to forward
Extended actions supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#any any any permit ?
blacklist Blacklist user if ACL gets applied
log Log if ACL gets applied
policer-profile Apply Policer profile
position Filter position. Default is last. 1 is first.
qos-profile Apply QoS profile
time-range Configure time range
<cr>
Session ACL on Controller
Bi-directional –
ACL rules govern the traffic in forward & reverse direction.
Network Classification options supported :
(Aruba650) (config-sess-ACLList)#?
alias Match a IPv4 network resource
any Match any IPv4 source traffic
host Match a single IPv4 host address
ipv6 IPv6 Session filter
localip Match traffic from local IP address
network Match IPv4 subnet
user Match traffic from IPv4 source user
Actions supported:
(Aruba650) (config-sess-ACLList)#any any any ?
deny Specify packets to reject
dst-nat Perform destination NAT on packets
dual-nat Perform both source and destination NAT on packets
permit Specify packets to forward
redirect Redirect packets
route Route packets
src-nat Perform source NAT on packets
Extended actions supported :
(Aruba650) (config-sess-ACLList)#any any any permit ?
blacklist Blacklist user if ACL gets applied
classify-media Starts monitoring users all untagged (IP DSCP) UDP
disable-scanning Pause ARM scanning while traffic is present
dot1p-priority Assign 802.1p priority
log Log if ACL gets applied
mirror Mirror all session packets to datapath or remote destination
position Filter position. Default is last. 1 is first.
queue Assign queue priority of the flow
time-range Configure time range
tos Set TOS in IPv4 header
<cr>
Stateless ACL on MAS
- ACL can be associated to port in Ingress/Egress
(S2500-48P) (gigabitethernet "0/0/0") # ip access-group ?
in Add/Delete ingress access-control-list
out Add/Delete egress access-control-list
(S2500-48P) (gigabitethernet "0/0/0") #ip access-group in ACLList
(S2500-48P) (gigabitethernet "0/0/0") #ip access-group out ACLList
- Router ACL and VLAN ACLs are not supported.
- Following ACL types can be associated with user-role
(S2500-48P) (config-role) #access-list ?
eth Apply Ethertype access-list
mac Apply MAC access-list
stateless Apply stateless access-list
Session ACL on controller
ACL can be associated to port in Ingres/Egress (Aruba650) (config-if)#ip access-group ACLList ?
in Apply access-list to interface's inbound traffic
out Apply access-list to interface's outbound traffic
session Apply session access-list to interface or Vlan
ACL can be associated to a vlan
(Aruba650) (config-if)#ip access-group ACLList session ?
vlan Apply session access-list to Vlan
<cr>
Following ACL types can be associated with user-role
(Aruba650) (config-role) #access-list ?
eth Apply Ethertype access-list
mac Apply MAC access-list
session Apply session access-list
Answer- By the above configuration we could notice stateless Vs session ACL config on the controller.
Verification- Below commands would help us to verify and confirm the ACL being hit on controller.
- show acl hits
- show rights
- show acl acl-table
- show datapath acl <acl number>
- show ip access-list brief
- show ip access-group
Troubleshooting- Below commands would help us to troubleshoot.
- show datapath session
- show acl hits
- show datapath acl
- show rights
- show user
- controller and MAS uplink port mirroring