Article applies to 7.4.0.0 and above
As of releases from 7.3.0.0, MAS supported Session ACLs on a user-role only. So this bounded us to untrusted users alone on the switch; also as of today, all non-user based ACLs are either Ingress or Egress based
To exploit the advantages and actions of Session ACLs such as NATting, redirect to a tunnel; bidirectional, dynamic and stateful properties for trusted ports and non-users as well, the application of session ACLs on RVI has been introduced
Starting 7.4.0.0, trusted/non-users will be able to communicate through Session ACLs on RVI, and are implemented in Software
Also, NAT pools are now supported and the configured NAT pools can be used through Session ACL
Network Topology:
Session ACL can be configured on the CLI as follows,
- In the example below, the first rule shows how the ACL is used to allow only SSH to the switch remotely from a specific host but block all other traffic
- The second rule talks about source NATting all udp 69 (tftp) traffic coming from a particular network to the switch
(ArubaS3500) (config) #ip access-list session session_acl
(ArubaS3500) (config-sess-session_acl)#host 35.35.35.253 host 192.168.2.2 svc-ssh permit position 1
(ArubaS3500) (config-sess-session_acl)#network 30.30.30.0 255.255.255.0 any udp 69 src-nat position 2
The configured session ACL can be applied to an RVI as follows,
(ArubaS3500) (config) #interface vlan 30
(ArubaS3500) (config-sess-session_acl)#ip access-group session session_acl
Command to dump the configured session ACL,
Show ip access-list <name>
(ArubaS3500) #show ip access-list session_acl
ip access-list session session_acl
session_acl
-----------
Priority Source Destination Service Action Queue TOS IPv4/6
-------- ------ ----------- ------- ------ ----- ---- ------
1 35.35.35.253 192.168.2.2 svc-ssh permit Low 4
2 30.30.30.0 255.255.255.0 any udp 69 src-nat Low 4
Command to dump ACLs attached to an interface vlan,
show interface-config vlan 30
(Pavs_stk) #show interface-config vlan 30
vlan "30"
---------
Parameter Value
--------- -----
Interface description N/A
Interface OSPF profile N/A
Interface PIM profile N/A
Session-processing Disabled
IP Address 30.30.30.1/255.255.255.0
IP NAT Inside Disabled
IP NAT Outside Disabled
DHCP client Disabled
DHCP relay profile N/A
Ingress ACL N/A
Egress ACL N/A
Session ACL session_acl
To check session creation,
#Show datapath session
Command to fetch the ACL id,
show acl acl-table
Use the acl name to look out in the acl table,
show acl acl-table | include <name>
To check session ACL hits, use the session ACL id
Show datapath acl <acl-id>
To check the ACL hits for hardware forwarded traffic,
show datapath dpe acl hits <acl-id> slot <id>
- If session is not created, Check if the ACL is correctly applied on the RVI using,
#show interface-config vlan <vlan-id>
- Verify that the traffic is intended to go via software (sessions will not be created for hardware treated traffic)
- Increase the session-idle timeout to a higher value to make sure that the created session hasn’t got deleted,
#Show firewall
- For traffic getting dropped,Check if the interface has any port ACL present which is denying the traffic,
#Show interface-config gigabitethernet <>
- Check which ace is getting hit, if none of the rules match, the “implicit-deny” rule gets hit which drops all traffic,
#Show datapath acl <acl id> or show datapath dpe acl hits <acl-id> slot <id>
- Reverse traffic matching a forward rule is allowed only when the session is present and is active,
#Show datapath session
Check if the policy has expired using,
Show ip access-list <name>
Check security logs for session ACL logs,
Show log security all