How to configure session ACLs on RVI from MAS

Aruba Employee

Article applies to 7.4.0.0 and above 

As of releases from 7.3.0.0, MAS supported Session ACLs on a user-role only. So this bounded us to untrusted users alone on the switch; also as of today, all non-user based ACLs are either Ingress or Egress based 

To exploit the advantages and actions of Session ACLs such as NATting, redirect to a tunnel; bidirectional, dynamic and stateful properties for trusted ports and non-users as well, the application of session ACLs on RVI has been introduced

Starting 7.4.0.0, trusted/non-users will be able to communicate through Session ACLs on RVI, and are implemented in Software

Also, NAT pools are now supported and the configured NAT pools can be used through Session ACL

 

Network Topology:

 

rtaImage (1).jpg

Session ACL can be configured on the CLI as follows, 

  • In the example below, the first rule shows how the ACL is used to allow only SSH to the switch remotely from a specific host but block all other traffic
  • The second rule talks about source NATting all udp 69 (tftp) traffic coming from a particular network to the switch

(ArubaS3500) (config) #ip access-list session session_acl

(ArubaS3500) (config-sess-session_acl)#host 35.35.35.253 host 192.168.2.2 svc-ssh permit position 1

(ArubaS3500) (config-sess-session_acl)#network 30.30.30.0 255.255.255.0 any udp 69 src-nat position 2

The configured session ACL can be applied to an RVI as follows,


(ArubaS3500) (config) #interface vlan 30 
(ArubaS3500) (config-sess-session_acl)#ip access-group session session_acl

 

 

Command to dump the configured session ACL,

Show ip access-list <name>

(ArubaS3500) #show ip access-list session_acl

 

ip access-list session session_acl

session_acl

-----------

Priority  Source        Destination  Service  Action  Queue   TOS    IPv4/6

--------  ------        -----------  -------  ------  -----   ----   ------ 

1        35.35.35.253   192.168.2.2  svc-ssh  permit   Low             4

2  30.30.30.0  255.255.255.0 any     udp 69   src-nat  Low             4


Command to dump ACLs attached to an interface vlan,

show interface-config vlan 30

(Pavs_stk) #show interface-config vlan 30

vlan "30"
---------
Parameter                   Value
---------                   -----
Interface description       N/A
Interface OSPF profile      N/A
Interface PIM profile       N/A
Session-processing          Disabled
IP Address                  30.30.30.1/255.255.255.0
IP NAT Inside               Disabled
IP NAT Outside              Disabled
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 N/A
Egress ACL                  N/A
Session ACL                 session_acl



To check session creation,
#Show datapath session

pic

Command to fetch the ACL id,
show acl acl-table

Use the acl name to look out in the acl table,
show acl acl-table | include <name>


pic5

To check session ACL hits, use the session ACL id
Show datapath acl <acl-id>

pic6

To check the ACL hits for hardware forwarded traffic,
show datapath dpe acl hits <acl-id> slot <id>

pic7

 

  • If session is not created, Check if the ACL is correctly applied on the RVI using, 

                #show interface-config vlan <vlan-id>

  • Verify that the traffic is intended to go via software (sessions will not be created for hardware treated traffic)
  • Increase the session-idle timeout to a higher value to make sure that the created session hasn’t got deleted,

                #Show firewall

  • For traffic getting dropped,Check if the interface has any port ACL present which is denying the traffic,

                  #Show interface-config gigabitethernet <>

  • Check which ace is getting hit, if none of the rules match, the “implicit-deny” rule gets hit which drops all traffic,

                 #Show datapath acl <acl id> or show datapath dpe acl hits <acl-id> slot <id>

  • Reverse traffic matching a forward rule is allowed only when the session is present and is active, 

                  #Show datapath session

Check if the policy has expired using,
Show ip access-list <name>

pic8


Check security logs for session ACL logs,

Show log security all


pic9

Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 04:25 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: