Concept Guide

Parameter Description
tunnel forwarding mode and uses implied NAT pool.
src-nat: Performs source NAT on packets. Source IP changes to the outgoing interface
IP address (implied NAT pool) or from the pool configured (manual NAT pool). This
action functions in tunnel/decrypt-tunnel forwarding mode.
<extended ac
tion>
Optional action if rule is applied, which can be one of the following:
blacklist: blacklist user if ACL gets applied.
classify-media: Monitors user UDP packets to classify them as media and tag
accordingly.
NOTE: Use this parameter only for voice and video signaling and control sessions as it
causes deep packet inspection of all UDP packets from/to users.
disab le-scanning: pause ARM scanning while traffic is present. Note that you must
enable “VoIP Aware Scanning in the ARM profile for this feature to work.
dot1p-priority: specify 802.1p priority (0-7)
log: generate a log message
mirror: mirror all session packets to datapath or remote destination
If you configure the mirror option, define the destination to which mirrored packets are
sent in the firewall policy. For more information, see firewall on page 374.
next-hop-list: Route packet to the next hop in the list.
position: specify the position of the rule (1 is first, default is last)
queue: assign flow to priority queue (high/low)
send-deny-response: if <action> is deny, send an ICMP notification to the source
time-range: specify time range for this rule (configured with time-range command)
tos: specify ToS value (0-63)
no
Negates any configured parameter.
Usage Guidelines
Session ACLs define traffic and firewall policies on the controller. You can configure multiple rules for each
policy, with rules evaluated from top (1 is first) to bottom. The first match terminates further evaluation.
Generally, you should order more specific rules at the top of the list and place less specific rules at the bottom
of the list. The ACL ends with an implicit deny all. To configure IPv6 rules, use the ipv6 keyword followed by the
regular ACL keywords.
Example
The following CLI configuration shows how pre-classification and post-classification occurs during
enforcement.
Each application has an implicit set of ports that are used for communication. In phase 1, if an application ACE
entry is hit, the traffic matching this application’s implicit port is allowed (as governed by the application ACE).
The DPI engine can monitor the exchange on these ports and determine the application. Once the application
is determined, phase 2 occurs when an evaluation is done to determine the final outcome for the session.
The following CLIconfiguration example is a user role with both the global and role session ACLs:
ip access-list session global-sacl
ip access-list session apprf-employee-sacl
Dell Networking W-Series ArubaOS 6.5.x | Reference Guide ip access-list session | 498