How to configure session ACLs on RVI from MAS

Aruba Employee
Aruba Employee

Article applies to and above 

As of releases from, MAS supported Session ACLs on a user-role only. So this bounded us to untrusted users alone on the switch; also as of today, all non-user based ACLs are either Ingress or Egress based 

To exploit the advantages and actions of Session ACLs such as NATting, redirect to a tunnel; bidirectional, dynamic and stateful properties for trusted ports and non-users as well, the application of session ACLs on RVI has been introduced

Starting, trusted/non-users will be able to communicate through Session ACLs on RVI, and are implemented in Software

Also, NAT pools are now supported and the configured NAT pools can be used through Session ACL


Network Topology:


rtaImage (1).jpg

Session ACL can be configured on the CLI as follows, 

  • In the example below, the first rule shows how the ACL is used to allow only SSH to the switch remotely from a specific host but block all other traffic
  • The second rule talks about source NATting all udp 69 (tftp) traffic coming from a particular network to the switch

(ArubaS3500) (config) #ip access-list session session_acl

(ArubaS3500) (config-sess-session_acl)#host host svc-ssh permit position 1

(ArubaS3500) (config-sess-session_acl)#network any udp 69 src-nat position 2

The configured session ACL can be applied to an RVI as follows,

(ArubaS3500) (config) #interface vlan 30 
(ArubaS3500) (config-sess-session_acl)#ip access-group session session_acl



Command to dump the configured session ACL,

Show ip access-list <name>

(ArubaS3500) #show ip access-list session_acl


ip access-list session session_acl



Priority  Source        Destination  Service  Action  Queue   TOS    IPv4/6

--------  ------        -----------  -------  ------  -----   ----   ------ 

1  svc-ssh  permit   Low             4

2 any     udp 69   src-nat  Low             4

Command to dump ACLs attached to an interface vlan,

show interface-config vlan 30

(Pavs_stk) #show interface-config vlan 30

vlan "30"
Parameter                   Value
---------                   -----
Interface description       N/A
Interface OSPF profile      N/A
Interface PIM profile       N/A
Session-processing          Disabled
IP Address        
IP NAT Inside               Disabled
IP NAT Outside              Disabled
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 N/A
Egress ACL                  N/A
Session ACL                 session_acl

To check session creation,
#Show datapath session


Command to fetch the ACL id,
show acl acl-table

Use the acl name to look out in the acl table,
show acl acl-table | include <name>


To check session ACL hits, use the session ACL id
Show datapath acl <acl-id>


To check the ACL hits for hardware forwarded traffic,
show datapath dpe acl hits <acl-id> slot <id>



  • If session is not created, Check if the ACL is correctly applied on the RVI using, 

                #show interface-config vlan <vlan-id>

  • Verify that the traffic is intended to go via software (sessions will not be created for hardware treated traffic)
  • Increase the session-idle timeout to a higher value to make sure that the created session hasn’t got deleted,

                #Show firewall

  • For traffic getting dropped,Check if the interface has any port ACL present which is denying the traffic,

                  #Show interface-config gigabitethernet <>

  • Check which ace is getting hit, if none of the rules match, the “implicit-deny” rule gets hit which drops all traffic,

                 #Show datapath acl <acl id> or show datapath dpe acl hits <acl-id> slot <id>

  • Reverse traffic matching a forward rule is allowed only when the session is present and is active, 

                  #Show datapath session

Check if the policy has expired using,
Show ip access-list <name>


Check security logs for session ACL logs,

Show log security all


Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 04:25 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: