Wired Networks

How to configure Stateless v.s Session ACLs on MAS and Controller

Aruba Employee

Introduction- 

  • Stateless ACLs were introduced as a complement to session ACL on controller
  • Actions like black-list, time-range, position and log are supported in stateless ACLs
  • Qos-profile and policer-profile can be attached to the stateless ACL
  • Following options supported for defining the ACL
    • alias       :   Match addressed defined in the alias
    • any         :   Match any IPv4 source traffic
    • host        :  Match a single IPv4 host address
    • network :  Match IPv4 subnet

Environment- No special environment applied to this configuration

Network Topology- Network Topology is not applied to this config.

Configuration Steps- Configuration

Create Stateless ACL
(MAS3500) (config) #ip access-list stateless stateless_acl1
(MAS3500) (config-stateless-stateless_acl1)#host 192.168.1.1 network 10.1.1.0 255.255.255.0 svc-http permit
(MAS3500) (config-stateless-stateless_acl1)#any any udp 53 deny
 
Apply ACL in Ingress direction on an interface
(MAS3500) (config) #interface  gigabitethernet 0/0/0
(MAS3500) (gigabitethernet "0/0/0") #ip access-group in stateless_acl1
 
Apply ACL in Egress direction on interface
(MAS3500) (config) #interface  gigabitethernet 0/0/0
(MAS3500) (gigabitethernet "0/0/0") #ip access-group out stateless_acl1
 
Apply ACL to user-role
(MAS3500) (config) #user-role test
(MAS3500) (config-role) #access-list stateless stateless_acl1
 
MAS3500) (config) #user-role test
(MAS3500) (config-role) #access-list stateless stateless_acl1

(MAS3500) # show user-table
Users
-----
    IP                    MAC                          Name     Role       Age(d:h:m)  Auth  VPN link    AP name  Roaming   Essid/Bssid/Phy  Profile  Forward mode  Type
----------          -----------------------       ---------    ------      ---------------   ------  ------------   -----------   -----------    ---------------------  --------  ------------  ----
192.168.1.1  00:01:05:00:03:00                      test       00:00:09                                     0/0/0       Wired                                       p1        tunnel

User Entries: 1/1

(MAS3500) # show rights test
Derived Role = 'test'
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 41/0/42                        <<<<<ACL number is 42
 Max Sessions = 65535
access-list List
----------------
Position    Name                     Type              Location
-----------    --------                    ------------       --------
1                 stateless_acl1      stateless

stateless_acl1
--------------
Priority  Source            Destination                      Service       Action     TimeRange    Log   Expired   QoS   Policer    Blacklist   Mirror   IPv4
----------  ---------            ----------- ----                      -----------     --------      --------------    -----  ----------   -----   ----------   -----------   --------   ----
1              192.168.1.1  10.1.1.0 255.255.255.0  svc-http     permit                                                                                                                   4
2              any                  any                                    udp 53       deny                                                                                                                      4
Expired Policies (due to time constraints) = 0
 
MAS3500) #show acl acl-table
AclTable
--------
ACL  Type                   ACE Index    Rule Count      Ace Count        Name                     Applied
-----  ------                    -------------    --------------        -------------         --------                      ---------
1       role                     0                   0                       1                        logon                       0
2       role-stateless    86                 4                       5                        logon                       0
……….
40     stateless            248               2                       3                        stateless_acl1        1  <<<<<<<<<<<<<<<<<<<< ACL Index=40

(MAS3500) #show acl acl-table | include stateless_acl1
40     stateless            248               2                       3                        stateless_acl1        1


Stateless ACL on MAS
Uni-directional –
ACL rules govern traffic in forward direction.
Traffic in reverse direction is unconditionally permitted.
Network classification options supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#?
alias                   Match a IPv4 network resource
any                     Match any IPv4 source traffic
host                    Match a single IPv4 host address
network             Match IPv4 subnet
no                       Delete Command
Actions supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#any any any ?
deny                    Specify packets to reject
permit                  Specify packets to forward
Extended actions supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#any  any  any  permit  ?
blacklist                Blacklist user if ACL gets applied
log                         Log if ACL gets applied
policer-profile     Apply Policer profile
position                Filter position. Default is last. 1 is first.
qos-profile           Apply QoS profile
time-range           Configure time range
<cr>
 
Session ACL on Controller
Bi-directional –
ACL rules govern the traffic in forward & reverse direction.
Network Classification options supported :
(Aruba650) (config-sess-ACLList)#?
alias                   Match a IPv4 network resource
any                     Match any IPv4 source traffic
host                    Match a single IPv4 host address
ipv6                    IPv6 Session filter
localip                Match traffic from local IP address
network             Match IPv4 subnet
user                    Match traffic from IPv4 source user
Actions supported:
(Aruba650) (config-sess-ACLList)#any any any ?
deny                    Specify packets to reject
dst-nat                Perform destination NAT on packets
dual-nat              Perform both source and destination NAT on packets
permit                 Specify packets to forward
redirect                Redirect packets
route                   Route packets
src-nat                 Perform source NAT on packets
Extended actions supported :
(Aruba650) (config-sess-ACLList)#any any any permit ?
blacklist                    Blacklist user if ACL gets applied
classify-media         Starts monitoring users all untagged (IP DSCP) UDP
disable-scanning     Pause ARM scanning while traffic is present
dot1p-priority          Assign 802.1p priority
log                              Log if ACL gets applied
mirror                        Mirror all session packets to datapath or remote destination
position                     Filter position. Default is last. 1 is first.
queue                        Assign queue priority of the flow
time-range               Configure time range
tos                             Set TOS in IPv4 header
<cr>
 
Stateless ACL on MAS
 

  • ACL can be associated to port in Ingress/Egress

(S2500-48P) (gigabitethernet "0/0/0") # ip access-group ?
in                      Add/Delete ingress access-control-list
out                     Add/Delete egress access-control-list
(S2500-48P) (gigabitethernet "0/0/0") #ip access-group in ACLList
(S2500-48P) (gigabitethernet "0/0/0") #ip access-group out ACLList

  • Router ACL and VLAN ACLs are not supported.
  • Following ACL types can be associated with user-role

(S2500-48P) (config-role) #access-list ?
eth                      Apply Ethertype access-list
mac                    Apply MAC access-list
stateless            Apply stateless access-list
 
 
Session ACL on controller
 
 
ACL can be associated to port in Ingres/Egress (Aruba650) (config-if)#ip access-group ACLList ?
in                         Apply access-list to interface's inbound traffic
out                      Apply access-list to interface's outbound traffic
session               Apply session access-list to interface or Vlan
 
ACL can be associated to a vlan
(Aruba650) (config-if)#ip access-group ACLList  session ?
vlan                    Apply session access-list to Vlan
<cr>
 
Following ACL types can be associated with user-role
(Aruba650) (config-role) #access-list ?
eth                     Apply Ethertype access-list
mac                    Apply MAC access-list
session               Apply session access-list

 

 

Answer- By the above configuration we could notice stateless Vs session ACL config on the controller.

Verification- Below commands would help us to verify and confirm the ACL being hit on controller.

  • show acl hits 
  • show rights
  • show acl acl-table
  • show datapath acl <acl number>
  • show ip access-list brief
  • show ip access-group

Troubleshooting- Below commands would help us to troubleshoot.

  • show datapath session
  • show acl hits
  • show datapath acl
  • show rights
  • show user 
  • controller and MAS uplink port mirroring
Version history
Revision #:
1 of 1
Last update:
‎04-02-2015 09:43 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.