Session ACLs on RVI

Aruba Employee
Aruba Employee

Introduction- As of releases from, MAS supported Session ACLs on a user-role only. So this bounded us to untrusted users alone on the switch. Also as of today, all non-user based ACLs are either Ingress or Egress based and are burned into Marvell TCAM. 

To exploit the advantages and actions of Session ACLs such as NATting, redirect to a tunnel; bidirectional, dynamic and stateful properties for trusted ports and non-users as well, the application of session ACLs on RVI has been introduced.

Starting, trusted/non-users will be able to communicate through Session ACLs on RVI, and are implemented in Software. Also, NAT pools are now supported and the configured NAT pools can be used through Session ACL


Feature Notes- As we know, only traffic with action as

  •  NAT (source/destination/dual NAT)
  •  Redirect through tunnel
  •  Traffic going over an interface vlan which has “session-processing” enabled  are software forwarded

Sessions are created only for these traffic. Since this is software-treated, a maximum rate of 40kpps can be expected. All other traffic which make use of Session ACLs but do not have the above stated ‘actions’ under them will be treated in a stateless manner.

The above is applicable for both Session ACLs on RVI and Session ACLs on user-role.



Network Topology- Server <---Trusted port--------------------->MAS<----------------Uplink--------------------->L3 Device<-------------------------->Client
                 Intervace VLAN 30  and Session ACL on RVI 30


Configuration Steps- Creating a NAT pool:

(ArubaS3500) (config) #ip nat pool pool1

Session ACL can be configured on the CLI as follows,

(ArubaS3500) (config) #ip access-list session session_acl
(ArubaS3500) (config-sess-session_acl)#any  host tcp 0 65535 permit position 1 
(ArubaS3500) (config-sess-session_acl)# network any udp 69 src-nat pool pool1 position 2

The configured session ACL can be applied to an RVI as follows,

(ArubaS3500) (config) #interface vlan 30 
(ArubaS3500) (config-sess-session_acl)#ip access-group session session_acl


Answer- Limitation:

  • Session ACLs cannot be applied to ports
  • Since session is an ingress property, both session and ingress ACLs cannot co-exist on an interface vlan
  • When actions such as redirect/NAT are subjected on the traffic or if traffic is going over session-processing enabled interface VLAN, traffic is rate limited to 40kpps since it is handled in software
  • Only IPv4 unicast packets can be subjected to this functionality; IPv6 ACLs are not supported
  • No Web UI support
  • No MIBS supported for now


  • Command to dump the configured session ACL,

Show ip access-list <name>

(ArubaS3500) #show ip access-list session_acl

ip access-list session session_acl
Priority  Source           Destination   Service    Action    Queue  IPv4/6
--------  ------           -----------   -------    ------    -----  ------
 1         any     tcp 0-65535  permit      Low   4
 2  any      udp 69    src-nat pool pool1  Low   4        

  • Command to dump ACLs attached to an interface vlan,

show interface-config vlan 30

(ArubaS3500) #show interface-config vlan 30

vlan "30"
Parameter                   Value
---------                   -----
Interface description       N/A
Interface OSPF profile      N/A
Interface PIM profile       N/A
Session-processing          Disabled
IP Address        
IP NAT Inside               Disabled
IP NAT Outside              Disabled
DHCP client                 Disabled
DHCP relay profile          N/A
Ingress ACL                 N/A
Egress ACL                  N/A
Session ACL                 session_acl

  • To check session creation,

Show datapath session

(ArubaS3500) #show datapath session

Datapath Session Table Entries
Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       u - User Index
 Source IP/     Destination IP  Prot SPort DPort Cntr Prio ToS Age Destination
--------------  --------------  ---- ----- ----- ---- ---- --- --- ----------    17  63     69    0/0     0 0   0   1/0/24
TAge UsrIdx UsrVer Flags
---- ------ ------ -----
5     248    2a16   FSC  <-- Source NAT      17   69     63    0/0     0 0   1   1/0/24       5     0      0      FNY    <-- Reverse session  


  • Command to fetch the ACL id,

show acl acl-table

Use the acl name to look out in the acl table,

show acl acl-table | include <name>

(ArubaS3500) #show acl acl-table | include session_acl
33   session         170        3           3     session_acl    1 
This is the ACL id

  • To check session ACL hits, use the session ACL id

Show datapath acl <acl-id>

(ArubaS3500) #show datapath acl 99

Datapath acl 99 Entries
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
       S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
       I - Invert SA, i - Invert DA, H - high prio, O - set prio
       A - Disable Scanning, T - set TOS, 4 - IPv4, 6 - IPv6
       C - Classify Media
 1:  any  6 0-65535 0-65535  P4
 2:  any  17 0-65535 69-69  PS4   hits 2 <<--Indicates the session ACL hits
 3:  any  any  any  46

  • To check the ACL hits for hardware forwarded traffic,

show datapath dpe acl hits <acl-id> slot <id>

(ArubaS3500) (config) # show datapath dpe acl hits 33 slot 1

Datapath Element ACL Hits
Index   Source             Destination       Proto            Pkts      Bytes
-----   --------           -------------     ------           ------    -----
 141: 6 0-65535 0-65535 100  6400
 142:   17 0-65535 69-69   0     0
 143:    ::/0                  ::/0           any               0         0



Troubleshooting- If session is not created, 

  • Check if the ACL is correctly applied on the RVI using, 
    show interface-config vlan <vlan-id>
  •  Verify that the traffic is intended to go via software (sessions will not be created for hardware treated traffic)
  • Increase the session-idle timeout to a higher value to make sure that the created session hasn’t got deleted,
    Show firewall

For traffic getting dropped,
  • Check if the interface has any port ACL present which is denying the traffic,
Show interface-config gigabitethernet <>
  • Check which ace is getting hit, if none of the rules match, the “implicit-deny” rule gets hit which drops all traffic,
Show datapath acl <acl id> or show datapath dpe acl hits <acl-id> slot <id>
  • Reverse traffic matching a forward rule is allowed only when the session is present and is active, 
Show datapath session

Check if the policy has expired using,
Show ip access-list <name>
Check security logs for session ACL logs,
Show log security all
Version history
Revision #:
1 of 1
Last update:
‎04-02-2015 12:24 AM
Updated by:
Labels (1)