Hello,
I am trying to create a pre-authenticated role that only allows DHCP and blocks everything else (for the time being). This role is applied to a wired port on a RAP but is still allowing SIP and RTP traffic even though the intended configuration should be to block this traffic. All other traffic is being blocked correctly but the SIP and RTP traffic is getting through and confirmed with show datapath session table <ip>.
Am I missing something?
Thanks,
Lorn
(TPA-ARUBA-MC1) #show user
This operation can take a while depending on number of users. Please be patient ....
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
10.90.212.10 e0:89:9d:fb:81:f2 ml-remote-employee-phone-preauth 00:00:19 20:4c:03:11:b9:6d Wired 10.80.9.15:0/1 ml-remote-employee-phone-aaa tunnel
WIRED
(TPA-ARUBA-MC1) #show rights ml-remote-employee-phone-preauth
Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'ml-remote-employee-phone-preauth'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 2
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
IP-Classification Enforcement: Enabled
ACL Number = 83/0
Openflow: Disabled
Max Sessions = 65535
Check CP Profile for Accounting = TRUE
Application Exception List
--------------------------
Name Type
---- ----
Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-ml-remote-employee-phone-preauth-sacl session
3 ml-dhcp-clients-only session
4 denyall session
global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
apprf-ml-remote-employee-phone-preauth-sacl
-------------------------------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
ml-dhcp-clients-only
--------------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 user any udp 68 deny Low 4
2 any any svc-dhcp permit Low 4
denyall
-------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------
1 any any any deny Low 4
Expired Policies (due to time constraints) = 0
(TPA-ARUBA-MC1) #show datapath session table 10.90.212.10
Datapath Session Table Entries
------------------------------
Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
Q - Real-Time Quality analysis
u - Upstream Real-Time Quality analysis
I - Deep inspect, U - Locally destined
E - Media Deep Inspect, G - media signal
r - Route Nexthop, h - High Value
A - Application Firewall Inspect
B - Permanent, O - Openflow
L - Log
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
10.90.212.10 10.184.5.14 6 52486 5060 0/0 6 24 4 tunnel 16 6b8 0 0 MCIO
10.90.212.10 10.84.5.14 6 52360 5060 0/0 6 24 7 tunnel 16 6b8 0 0 MCIO
10.184.5.14 10.90.212.10 6 5060 52486 0/0 6 24 4 tunnel 16 6b8 0 0 MIO
10.84.5.14 10.90.212.10 6 5060 52360 0/0 6 24 8 tunnel 16 6b8 0 0 MIO