OK, I have it working this way. I had to open all UDP ports, because looking at the datapath sesion table it was picking some random (non-well known) ports once in a while, table below. So this is what my ACL looks like, not a 100% bulletproof, but good enough for the casual student deciding to try connect his computer to an AP port/patch cord:
ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
permit udp any any
permit gre any host 130.253.21.25
permit gre any host 130.253.21.26
permit gre any host 130.253.21.27
permit ip any host 130.253.253.100
permit icmp any 130.253.0.0 0.0.255.255
deny ip any any
-------------------
(Aruba6000-UTS-master) #show datapath session table 130.253.90.146
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
130.253.90.146 130.253.21.26 17 8211 8211 0 0 0 0 local 7 F
0 0 0 1 local FY
130.253.90.146 130.253.21.25 17 8211 8211 0 0 0 0 tunnel 8 7 FC
0 0 0 1 tunnel 8 FYC
130.253.90.146 130.253.21.26 17 2049 123 0 0 0 1 local c FY
0 0 0 1 local FY
130.253.90.146 130.253.21.25 17 2049 123 0 0 0 1 tunnel 8 c FC
0 0 0 1 tunnel 8 FYC
130.253.90.146 130.253.21.25 17 2049 514 0 0 0 1 tunnel 8 b FC
0 0 0 1 tunnel 8 FYC
130.253.90.146 130.253.21.25 47 0 0 0 0 0 0 tunnel 8 4 FC
0 0 0 0 tunnel 8 FC
130.253.21.26 130.253.90.146 17 51959 2 0 0 0 1 local 7 FC
0 0 0 0 local FC
130.253.21.26 130.253.90.146 17 8211 8211 0 0 0 0 local 7 FC
0 0 0 1 local FYC
130.253.21.25 130.253.90.146 17 8211 8211 0 0 0 0 tunnel 8 7 FY
0 0 0 1 tunnel 8 FY
130.253.21.25 130.253.90.146 47 0 0 0 0 0 0 tunnel 8 4 F
0 0 0 0 tunnel 8 F
130.253.21.25 130.253.90.146 17 123 2049 0 0 0 0 tunnel 8 c FY
0 0 0 1 tunnel 8 FY
130.253.21.26 130.253.90.146 17 123 2049 0 0 0 0 local c FC
0 0 0 1 local FYC
130.253.21.25 130.253.90.146 17 514 2049 0 0 0 0 tunnel 8 b FY
0 0 0 1 tunnel 8 FY