Security

Reply
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Can I apply firewall rules to an Ethernet port on an 800 controller?

Hi,

I'm running an 800 mobility controller at home with a couple of AP-125's.

Current setup has APs connected to an HP PoE switch (Gigabit ports) which alsohas  the gigabit port from my 800 controller and a 100Mbit feed to my broadband router.

 

Given the fact that I can set up a role/policy/set of firewall rules for a user logging on via wireless, I was wondering if I might be able to move the broadband feed from the HP switch to one of the 100Mbit/s Ethernet ports on the 800 and apply firewall rules on the 800 to general traffic to/from the broadband router

 

Rgds

Alex

 

MVP
Posts: 1,399
Registered: ‎05-28-2008

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

[ Edited ]

Hi,

:smileyhappy:

**IF U JUST WANT TO ENABLE FIREWALL ON PORT/VLAN  - JUST ADD ACL PROFILE to your VLAN/PORT**

 You can if you are using different vlans for each tunnel. You can apply the aaa profile right on the vlan itself.

Untitled.png

 

 

ANOTHER METHOD:

 

You can enable Wired port ACL profile and mark the port as unstrusted. (IF U WANT TO AUTH USERS TRAFFIC VIA THIS PORT)

 

 

 

AAA USERS/DEVICES VIA WIRED PORT - the controller considers IP connections from "untrusted" ports to be defined by the configuration within the "aaa authentication wired" global controller context. Within it, you can select a AAA profile, which determines an initial role of inbound traffic/devices/users etc. That initial role is how IP connections from a device on an untrusted port is handled (much like the way a AAA applies to a VAP).

 

I.e. if you setup an appropriate role within a AAA profile, and put it in the "aaa authentication wired" context, you should get the result you want.

 

280x121.jpg

 

 

 

Have a lovley day.:smileywink:

 

me

 

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

Yes, you can apply firewall policies to the network interfaces (physical or VLAN). You can do this on the GUI at Configuration/Netowrk/Ports menu.

Create your firewall policies first and simply apply it to the interface and it should do the job.

MVP
Posts: 1,399
Registered: ‎05-28-2008

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

[ Edited ]

zshusveti IS RIGHT! :smileyhappy:

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II
Posts: 114
Registered: ‎12-02-2011

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?


kdisc98 wrote:

Hi,

:smileyhappy:

You can enable Wired port ACL profile and mark the port as unstrusted.

 

Assuming your software level isn't too old, the controller considers IP connections from "untrusted" ports to be defined by the configuration within the "aaa authentication wired" global controller context. Within it, you can select a AAA profile, which determines an initial role of inbound traffic/devices/users etc. That initial role is how IP connections from a device on an untrusted port is handled (much like the way a AAA applies to a VAP).

 

I.e. if you setup an appropriate role within a AAA profile, and put it in the "aaa authentication wired" context, you should get the result you want.

 

ALSO:

 

You can if you are using different vlans for each tunnel. You can apply the aaa profile right on the vlan itself. For this to go into effect you will need to have the tunnel in your dmz set to the untrusted port.

 

vlan 192 wired aaa-profile "guest-wired-profile"

 

Have a lovley day.:smileywink:

 

me

 

 


Are you sure that it is needed to make the port untrusted? As far as I know it is only needed if you want authentication on the interface  hence the need for the AAA profile.

If you simply add firewall policy to the interface then authentication is not needed and the traffic will be filtered.

MVP
Posts: 1,399
Registered: ‎05-28-2008

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

You right.:smileywink:

 

It's depands - what he is trying to achive - i gave him the two possiablites.

Knowlege/info/tips give us the ability to imporve our deploments - and offer more to our clients.

 

Me

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

Many thanks for the replies. I'll have a play tonight when I get home

Rgds

Alex

BTW running 5.0.4.11which AFAIK is the latest ArubaOS for the 800

 

MVP
Posts: 1,399
Registered: ‎05-28-2008

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

Our Mission is to help who everHEADS needs :smileywink: Update us if it's worked for u - or more info needed

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Super Contributor I
Posts: 293
Registered: ‎02-07-2013

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

Many thnks for the suggestions. I only want to apply acls to the port as its a feed to my broadband router so I don;t need to do any auithentication (at present)

Rgds

Alex

Super Contributor II
Posts: 354
Registered: ‎09-26-2012

Re: Can I apply firewall rules to an Ethernet port on an 800 controller?

As per your attached screen shot, The ACL policy is applied to the port, no matter port is mark as trusted or non-trusted.
As in screenshot port is marked as trusted and you also applied ACL policy to that port.
Thanks & Regards
Syed Murad Ali
ACMP ACMA CCNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: