You are here: Home > CLI Commands > Just_CLI_Topics > ip access-list session

ip access-list session

ip access-list session <accname>

<source> <dest> <service> <action> [<extended action>]

ipv6 <source> <dest> <service> <action> [<extended action>]

no ...

Description

This command configures an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. session. To create IPv6 specific rules, use the ipv6 keyword.

Syntax

Parameter

Description

session <accname>

Define a session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., where <accname> is an access list name, or an access list number in the specified range.

ipv6

Use the ipv6 keyword to create IPv6 specific rules.

<source>

The traffic source, which can be one of the following:

alias: specify the network resource (use the netdestination command to configure aliases; use the show netdestination command to see configured aliases)

any: match any traffic

host: specify a single host IP address

ipv6: specify a single host IPv6 address

localip: specify the local IP address to match traffic

network: specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.

user: represents the IP address of the user

userrole: represents the traffic based on user role

<dest>

The traffic destination, which can be one of the following:

alias: specify the network resource (use the netdestination command to configure aliases; use the show netdestination command to see configured aliases)

any: match any traffic

host: specify a single host IP address

ipv6: specify a single host IPv6 address

localip: specify the local IP address to match traffic

network: specify the IP address and netmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.

user: represents the IP address of the user

userrole: represents the traffic based on userrole

<service>

Network service, which can be one of the following:

IP protocol number (0-255)

name of a network service (use the show netservice command to see configured services)

any: match any traffic

app: application name. (For a complete list of supported applications, issue the command show dpi application all.)

appcategory: application category name. (For a complete list of supported applications, issue the command show dpi application all.)

icmp: Internet Control Message Protocol

tcp destination port number: specify the TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port number (0-65535)

tcp source: TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. /UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. source port number

udp: specify the UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port number (0-65535)

web-cc-category: name of a web content category. For the full list of available web content categories, issue the command show web-cc categories.

web-cc-reputation: any of the following predefined web content reputation levels:

high-risk

low-risk

moderate-risk

suspicious

trustworthy

<action>

Action if rule is applied, which can be one of the following:

deny: Reject packets. Applicable to both IPv4 and IPv6.

dst-nat: Performs destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. on packets. Forward packets from source network to destination; re-mark them with destination IP of the target network. This action functions in tunnel/decrypt-tunnel forwarding mode. User should configure the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the managed device.

src-nat: Performs source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. on packets. Source IP changes to the outgoing interface IP address (implied NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool) or from the pool configured (manual NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool). This action functions in tunnel/decrypt-tunnel/bridge/split-tunnel forwarding mode.

dual-nat: Performs both source and destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. on packets. Source IP and destination IP is changed as per the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool configured. This action functions in tunnel/decrypt-tunnel forwarding mode. User should configure the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the managed device.

permit: Forward packets. Applicable to both IPv4 and IPv6.

redirect: Specify the location to which packets are redirected. The following are applicable only to IPv4:

Datapath destination ID (0-65535).

esi-group: Specify the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. server group configured with the esi group command.

tunnel: Specify the ID of the tunnel configured with the interface tunnel command.

webcc-reputation: Assign one of the predefined web content reputation levels to the packets.

 

The following are applicable only to IPv6:

tunnel: Specify the ID of the tunnel configured with the interface tunnel command.

tunnel-group: Specify the tunnel-group configured with the interface tunnel command.

route: Specify the next hop to which packets are routed, which can be one of the following:

dst-nat: Destination IP changes to the IP configured from the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool. This action functions in bridge/split-tunnel forwarding mode. User should configure the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the managed device.

src-nat: Performs source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. on packets. Source IP changes to the outgoing interface IP address (implied NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool) or from the pool configured (manual NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool). This action functions in tunnel/decrypt-tunnel/bridge/split-tunnel forwarding mode.

<extended ac
tion>

Optional action if rule is applied, which can be one of the following:

blacklist: blacklist user if ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. gets applied.

disable-scanning: pause ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning while traffic is present. Note that you must enable “VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Aware Scanning” in the ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. profile for this feature to work.

dot1p-priority: specify 802.1p priority (0-7), where 0 is the lowest priority, and 7 is the highest.

log: generate a log message

mirror: mirror all session packets to datapath or remote destination

If you configure the mirror option, define the destination to which mirrored packets are sent in the firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy. For more information, see firewall.

next-hop-list: Route packet to the next hop in the list.

position: specify the position of the rule (1 is first, default is last)

queue: assign flow to priority queue (high/low)

send-deny-response: if <action> is deny, send an ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. notification to the source

time-range: specify time range for this rule (configured with time-range command)

tos: specify ToSType of Service. The ToS field is part of the IPv4 header, which specifies datagrams priority and requests a route for low-delay, high-throughput, or a highly reliable service. value (0-63)

no

Negates any configured parameter.

Usage Guidelines

Session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. define traffic and firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies on the managed device. You can configure multiple rules for each policy, with rules evaluated from top (1 is first) to bottom. The first match terminates further evaluation. Generally, you should order more specific rules at the top of the list and place less specific rules at the bottom of the list. The ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. ends with an implicit deny all. To configure IPv6 rules, use the ipv6 keyword followed by the regular ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. keywords.

Example

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. configuration shows how pre-classification and post-classification occurs during enforcement.

Each application has an implicit set of ports that are used for communication. In phase 1, if an application ACEAccess Control Entry. ACE is an element in an ACL that includes access control information. entry is hit, the traffic matching this application’s implicit port is allowed (as governed by the application ACEAccess Control Entry. ACE is an element in an ACL that includes access control information.). The DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. engine can monitor the exchange on these ports and determine the application. Once the application is determined, phase 2 occurs when an evaluation is done to determine the final outcome for the session.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. configuration example is a user role with both the global and role session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.:

(host) [mynode] (config) #ip access-list session global-sacl

(host) [mynode] (config) #ip access-list session apprf-employee-sacl

(host) [mynode] (config) #ip access-list session control

any any app gmail-chat permit

any any app youtube permit

any any any deny

This example shows a DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. rule along with a L3/L4 rule with forwarding action in the same ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

(host) [mynode] (config) #ip access-list session AppRules

any any app Facebook permit tos 45

any any app YouTube deny

any any appcategory peer-to-peer deny

any any tcp 23 permit

network 40.1.0.0/16 any tcp 80 permit tos 60

network 20.1.0.0/16 any tcp 80 src-nat

!

(host) [mynode] (config) #ip access-list session NetRules

network 80.0.0.0/24 any tcp 80 deny

network 60.0.0.0/24 any tcp 80 dual-nat pool <pool1>

network 10.0.0.0/24 any tcp 80 dst-nat

!

(host) [mynode] (config) #user-role Role1

session-acl AppRules

session-acl NetRules

!

The following command configures a session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. with IPv4 and IPv6 address:

(host) [mynode] (config) #ip access-list session common

(host) [mynode] (config-sess-common)#host 10.12.13.14 any any permit

(host) [mynode] (config-sess-common)#ipv6 host 11:12:11:11::2 any any permit

 

The following example displays information for an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. called mylist:

(host) [mynode] (config) #show ip access-list mylist

ip access-list session mylist

mylist

---------

Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan IPv4/6 Contract

-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------ --------

1 any any app gmail deny Low 4

The following example shows how this local-override netdestination alias is used in the controller:

(host) [mynode] (config) #ip access-list session store-override

(host) [mynode] (config-sess-store-override)#any alias store any permit

(host) [mynode] (config-sess-store-override)#alias store any any deny

(host) [mynode] (config-sess-store-override)#!

(host) [mynode] (config) #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol

vlan 1 172.72.10.254 / 255.255.255.0 up up

vlan 55 55.55.55.1 / 255.255.255.0 up up

loopback unassigned / unassigned up up

 

(host) [md] #show acl acl-table | include dummy-acl

75 session 620 2 3 dummy-acl 0

 

(host) [md] #show acl ace-table acl 75

 

620: any netdest-id: 34 0 0-0 0-0 f1000080001:permit alias-dst hits-table-index 24578

621: netdest-id: 34 any 0 0-0 0-0 f800080001:permit alias-src hits-table-index 24579

622: any any 0 0-0 0-0 f180000:deny

The following examples display the use of extended scope of address range:

(host) [mynode] (config) #ip access-list session v6-logon-control

ipv6 user any udp 546 deny

ipv6 any any svc-v6-icmp permit

ipv6 any any svc-v6-dhcp permit

ipv6 any any svc-dns permit

ipv6 any network fc00::/7 any permit

ipv6 any network fe80::/64 any permit

 

(host) [mynode] (config) #ip access-list session validuser

network 127.0.0.0 255.0.0.0 any any deny

network 169.254.0.0 255.255.0.0 any any deny

network 224.0.0.0 240.0.0.0 any any deny

host 255.255.255.255 any any deny

network 240.0.0.0 240.0.0.0 any any deny

any any any permit

ipv6 host fe80:: any any deny

ipv6 network fc00::/7 any any permit

ipv6 network fe80::/64 any any permit

ipv6 alias ipv6-reserved-range any any deny

ipv6 any any any permit

!

The following example displays the use of source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. to route the local traffic in AP datapath in Split-Tunnel forwarding mode for IPv6 clients:

(host) [mynode] (config) #ip access-list session split

ipv6 any any svc-v6-dhcp permit

ipv6 any any svc-dns permit

ipv6 user network fe80::/16 any permit

ipv6 network fe::80/16 user any permit

ipv6 user any icmpv6 nb-adv permit

ipv6 user any icmpv6 nb-solicitation permit

ipv6 any user icmpv6 rtr-adv permit

ipv6 any user icmpv6 rtr-solicitation permit

ipv6 any any any route src-nat

Command History

Release

Modification

ArubaOS 8.4.0.0

The output is modified to display the use of source NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. in Split-Tunnel forwarding mode for IPv6 clients.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/