Wired Intelligent Edge (Campus Switching and Routing)

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here

How to configure Stateless v.s Session ACLs on MAS and Controller

Aruba Employee
Aruba Employee

Introduction- 

  • Stateless ACLs were introduced as a complement to session ACL on controller
  • Actions like black-list, time-range, position and log are supported in stateless ACLs
  • Qos-profile and policer-profile can be attached to the stateless ACL
  • Following options supported for defining the ACL
    • alias       :   Match addressed defined in the alias
    • any         :   Match any IPv4 source traffic
    • host        :  Match a single IPv4 host address
    • network :  Match IPv4 subnet

Environment- No special environment applied to this configuration

Network Topology- Network Topology is not applied to this config.

Configuration Steps- Configuration

Create Stateless ACL
(MAS3500) (config) #ip access-list stateless stateless_acl1
(MAS3500) (config-stateless-stateless_acl1)#host 192.168.1.1 network 10.1.1.0 255.255.255.0 svc-http permit
(MAS3500) (config-stateless-stateless_acl1)#any any udp 53 deny
 
Apply ACL in Ingress direction on an interface
(MAS3500) (config) #interface  gigabitethernet 0/0/0
(MAS3500) (gigabitethernet "0/0/0") #ip access-group in stateless_acl1
 
Apply ACL in Egress direction on interface
(MAS3500) (config) #interface  gigabitethernet 0/0/0
(MAS3500) (gigabitethernet "0/0/0") #ip access-group out stateless_acl1
 
Apply ACL to user-role
(MAS3500) (config) #user-role test
(MAS3500) (config-role) #access-list stateless stateless_acl1
 
MAS3500) (config) #user-role test
(MAS3500) (config-role) #access-list stateless stateless_acl1

(MAS3500) # show user-table
Users
-----
    IP                    MAC                          Name     Role       Age(d:h:m)  Auth  VPN link    AP name  Roaming   Essid/Bssid/Phy  Profile  Forward mode  Type
----------          -----------------------       ---------    ------      ---------------   ------  ------------   -----------   -----------    ---------------------  --------  ------------  ----
192.168.1.1  00:01:05:00:03:00                      test       00:00:09                                     0/0/0       Wired                                       p1        tunnel

User Entries: 1/1

(MAS3500) # show rights test
Derived Role = 'test'
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 41/0/42                        <<<<<ACL number is 42
 Max Sessions = 65535
access-list List
----------------
Position    Name                     Type              Location
-----------    --------                    ------------       --------
1                 stateless_acl1      stateless

stateless_acl1
--------------
Priority  Source            Destination                      Service       Action     TimeRange    Log   Expired   QoS   Policer    Blacklist   Mirror   IPv4
----------  ---------            ----------- ----                      -----------     --------      --------------    -----  ----------   -----   ----------   -----------   --------   ----
1              192.168.1.1  10.1.1.0 255.255.255.0  svc-http     permit                                                                                                                   4
2              any                  any                                    udp 53       deny                                                                                                                      4
Expired Policies (due to time constraints) = 0
 
MAS3500) #show acl acl-table
AclTable
--------
ACL  Type                   ACE Index    Rule Count      Ace Count        Name                     Applied
-----  ------                    -------------    --------------        -------------         --------                      ---------
1       role                     0                   0                       1                        logon                       0
2       role-stateless    86                 4                       5                        logon                       0
……….
40     stateless            248               2                       3                        stateless_acl1        1  <<<<<<<<<<<<<<<<<<<< ACL Index=40

(MAS3500) #show acl acl-table | include stateless_acl1
40     stateless            248               2                       3                        stateless_acl1        1


Stateless ACL on MAS
Uni-directional –
ACL rules govern traffic in forward direction.
Traffic in reverse direction is unconditionally permitted.
Network classification options supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#?
alias                   Match a IPv4 network resource
any                     Match any IPv4 source traffic
host                    Match a single IPv4 host address
network             Match IPv4 subnet
no                       Delete Command
Actions supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#any any any ?
deny                    Specify packets to reject
permit                  Specify packets to forward
Extended actions supported:
(ArubaS2500-48P-US) (config-stateless-ACLList)#any  any  any  permit  ?
blacklist                Blacklist user if ACL gets applied
log                         Log if ACL gets applied
policer-profile     Apply Policer profile
position                Filter position. Default is last. 1 is first.
qos-profile           Apply QoS profile
time-range           Configure time range
<cr>
 
Session ACL on Controller
Bi-directional –
ACL rules govern the traffic in forward & reverse direction.
Network Classification options supported :
(Aruba650) (config-sess-ACLList)#?
alias                   Match a IPv4 network resource
any                     Match any IPv4 source traffic
host                    Match a single IPv4 host address
ipv6                    IPv6 Session filter
localip                Match traffic from local IP address
network             Match IPv4 subnet
user                    Match traffic from IPv4 source user
Actions supported:
(Aruba650) (config-sess-ACLList)#any any any ?
deny                    Specify packets to reject
dst-nat                Perform destination NAT on packets
dual-nat              Perform both source and destination NAT on packets
permit                 Specify packets to forward
redirect                Redirect packets
route                   Route packets
src-nat                 Perform source NAT on packets
Extended actions supported :
(Aruba650) (config-sess-ACLList)#any any any permit ?
blacklist                    Blacklist user if ACL gets applied
classify-media         Starts monitoring users all untagged (IP DSCP) UDP
disable-scanning     Pause ARM scanning while traffic is present
dot1p-priority          Assign 802.1p priority
log                              Log if ACL gets applied
mirror                        Mirror all session packets to datapath or remote destination
position                     Filter position. Default is last. 1 is first.
queue                        Assign queue priority of the flow
time-range               Configure time range
tos                             Set TOS in IPv4 header
<cr>
 
Stateless ACL on MAS
 

  • ACL can be associated to port in Ingress/Egress

(S2500-48P) (gigabitethernet "0/0/0") # ip access-group ?
in                      Add/Delete ingress access-control-list
out                     Add/Delete egress access-control-list
(S2500-48P) (gigabitethernet "0/0/0") #ip access-group in ACLList
(S2500-48P) (gigabitethernet "0/0/0") #ip access-group out ACLList

  • Router ACL and VLAN ACLs are not supported.
  • Following ACL types can be associated with user-role

(S2500-48P) (config-role) #access-list ?
eth                      Apply Ethertype access-list
mac                    Apply MAC access-list
stateless            Apply stateless access-list
 
 
Session ACL on controller
 
 
ACL can be associated to port in Ingres/Egress (Aruba650) (config-if)#ip access-group ACLList ?
in                         Apply access-list to interface's inbound traffic
out                      Apply access-list to interface's outbound traffic
session               Apply session access-list to interface or Vlan
 
ACL can be associated to a vlan
(Aruba650) (config-if)#ip access-group ACLList  session ?
vlan                    Apply session access-list to Vlan
<cr>
 
Following ACL types can be associated with user-role
(Aruba650) (config-role) #access-list ?
eth                     Apply Ethertype access-list
mac                    Apply MAC access-list
session               Apply session access-list

 

 

Answer- By the above configuration we could notice stateless Vs session ACL config on the controller.

Verification- Below commands would help us to verify and confirm the ACL being hit on controller.

  • show acl hits 
  • show rights
  • show acl acl-table
  • show datapath acl <acl number>
  • show ip access-list brief
  • show ip access-group

Troubleshooting- Below commands would help us to troubleshoot.

  • show datapath session
  • show acl hits
  • show datapath acl
  • show rights
  • show user 
  • controller and MAS uplink port mirroring
Version history
Revision #:
1 of 1
Last update:
‎04-02-2015 09:43 PM
Updated by:
 
Labels (1)
Contributors