Controller-less WLANs

What is "disable-auto-topology-rules" option with Aruba instant ?
Q:

What is "disable-auto-topology-rules" option with Aruba instant ?



A:

By default, IAPs listened on all interfaces, including Wi-Fi interfaces, for PAPI messages. Previously, automatic firewall rules were added to permit PAPI, which would override any user-configured firewall rules that attempted to block PAPI.

From 4.1.3.x and 4.2.3.x a new firewall configuration option has been added

# firewall (firewall)# disable-auto-topology-rules

When this option is enabled, the automatic firewall rules that permit PAPI will not be added. This allows an administrator to configure specific firewall rules for UDP 8209/8211 to control the source of PAPI messages. Aruba recommends limiting PAPI traffic to only IP subnets where other IAP cluster members reside.

This firewall rules needs to be configured under security --> inbound-firewall . Example if the IAP cluster resides  in 10.1.1.x subnet we need the following rules 

inbound-firewall

rule 10.1.1.0 255.255.255.0 any any match udp 8209 8209 permit

rule 10.1.1.0 255.255.255.0 any any match udp 8211 8211 permit

rule any any any any match udp 8209 8209 deny

rule any any any any match udp 8211 8211 deny

 

Please note the option to enable "disable-auto-topology-rules" is available only in CLI 

 

Version History
Revision #:
2 of 2
Last update:
‎03-24-2017 07:41 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.