Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

398| Roles and Policies AOS-W 6.5.3.x| User Guide

To display the application ID, application name, and the ACL/ACE index information for a given session:

(host)(config) #how datapath session dpi

Configuring Policies for AppRF 2.0

Access control lists now contain new application and application category options that let you permit or deny

an application or application category on a given role. See the Dashboard Monitoring AppRF topic for details

about configuring policies from the Dashboard.

How ACL Works with AppRF

A session entry proceeds through two phases: the application detection phase (phase 1) and the post-

application detection phase (phase 2). A session ACL is applied in phase1 and in phase 2.

In phase1, if the session ACL lookup results in an L3/L4 ACE entry request, the traffic pertaining to the session

is guided by this L3/L4 ACE entry. However, if the session ACL lookup results in an application/application

category specific ACE entry, the enforcement is postponed until phase 2. Once the application is determined,

the session ACL is re-applied with "application/application category" information to determine the final action

on the traffic.

Global Session ACL

The Global Session ACL is used to configure ACL rules that span across or are common to all roles. They are

applied to all roles. The "global-sacl" rules take precedence over any other ACLs that may be in the user role.

A new session ACL has been added named "global-sacl." This session, by default, is in position one for every

user role configured on the switch. The global-sacl session ACL has the following properties:

n It cannot be deleted.

n It always remains at position one in every role and its position cannot be modified.

n It contains only application rules.

n It can be modified in the WebUI, CLI, and dashboard on a master switch.

n Any modifications to it results in the regeneration of ACE’s of all roles.

Role Default Session ACL

You can configure role-specific application configuration using the WebUI and dashboard. For example, you

can deny the facebook application on the guest role using the CLI or dashboard without having to change the

firewall configuration. This per-user role configuration from WebUI or Dashboard is placed in the Role Default

Session ACL.

A new role session ACL named apprf-“role-name”-sacl has been added. This session, by default, is in position

two for every user role configured on the switch.

The string "apprf" is added to the beginning and "sacl" to the end of a role’s name to form a switchunique name

for role default session ACL. This session ACL is in position two of the given user role after the global session

ACL and takes the next higher priority after global policy rules.

The predefined role session ACL has the following properties:

n It cannot be deleted through the WebUI or CLI. It is only deleted automatically when the corresponding role

is deleted.

n It always remains at position 2 in every role and its position cannot be modified.

n It contains only application rules.

n It can be modified using the WebUI, CLI, or dashboard on a master switch, however any modification results

in the regeneration of ACE’s for that role.

n It cannot be applied to any other role.

Alcatel-Lucent AOS-W 6.5.3.x - Page 398