Wireless Access

Reply
Frequent Contributor I

AP Management lockdown

We have 4 subnets that we use for AP Management (4 core Cisco routers, and each has several buldings/APs hanging from). I would like to lock the subnets so that even if a student decides to unplug the path cord from an AP and plug their laptop, they would not be able to go anywhere. So I crafted this ACL (below). The problem I have is that it does not allow APs to get a DHCP address, however, the laptops can. Our APs get DHCP by DNSing aruba-master, so I allowed DNS and DHCP in the first 2 lines. This ACL is blocking outgoing traffic from the APs point of view and is placed on the subnet interface on the router:
ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
permit udp any eq domain any eq domain (DNS lookup to find the controller)
permit udp any eq bootpc any eq bootps (DHCP request)
permit ip any host 130.253.21.25 (controller)
permit ip any host 130.253.21.26 (controller)
permit ip any host 130.253.21.27 (controller)
permit ip any host 130.253.253.100 (Cisco Works, we have some switches on this subnet)
permit icmp any 130.253.0.0 0.0.255.255 (ping APs from our network)
deny ip any any

Any ideas? Do the APs do anything “funny” when requesting DHCP?

Thanks!
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Frequent Contributor I

Re: AP Management lockdown

I added a line for broadcasts and now the AP is getting an address. But seems it can't form the GRE tunnel to the controller, so I allowed GRE on the ACL. But still can't talk to the controller:
ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
permit ip any 255.255.255.255 0.0.0.0
permit gre any any
permit udp any eq domain any eq domain
permit udp any eq bootpc any eq bootps
permit ip any host 130.253.21.25
permit ip any host 130.253.21.26
permit ip any host 130.253.21.27
permit ip any host 130.253.253.100
permit icmp any 130.253.0.0 0.0.255.255
deny ip any any
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Frequent Contributor I

Re: AP Management lockdown

OK, I have it working this way. I had to open all UDP ports, because looking at the datapath sesion table it was picking some random (non-well known) ports once in a while, table below. So this is what my ACL looks like, not a 100% bulletproof, but good enough for the casual student deciding to try connect his computer to an AP port/patch cord:
ip access-list extended wireless-AP_Mngmnt-lockdown-UTS
permit udp any any
permit gre any host 130.253.21.25
permit gre any host 130.253.21.26
permit gre any host 130.253.21.27
permit ip any host 130.253.253.100
permit icmp any 130.253.0.0 0.0.255.255
deny ip any any

-------------------


(Aruba6000-UTS-master) #show datapath session table 130.253.90.146

Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
D - deny, R - redirect, Y - no syn
H - high prio, P - set prio, T - set ToS
C - client, M - mirror, V - VOIP
I - Deep inspect, U - Locally destined

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Flags
-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- -----
130.253.90.146 130.253.21.26 17 8211 8211 0 0 0 0 local 7 F
0 0 0 1 local FY
130.253.90.146 130.253.21.25 17 8211 8211 0 0 0 0 tunnel 8 7 FC
0 0 0 1 tunnel 8 FYC
130.253.90.146 130.253.21.26 17 2049 123 0 0 0 1 local c FY
0 0 0 1 local FY
130.253.90.146 130.253.21.25 17 2049 123 0 0 0 1 tunnel 8 c FC
0 0 0 1 tunnel 8 FYC
130.253.90.146 130.253.21.25 17 2049 514 0 0 0 1 tunnel 8 b FC
0 0 0 1 tunnel 8 FYC
130.253.90.146 130.253.21.25 47 0 0 0 0 0 0 tunnel 8 4 FC
0 0 0 0 tunnel 8 FC
130.253.21.26 130.253.90.146 17 51959 2 0 0 0 1 local 7 FC
0 0 0 0 local FC
130.253.21.26 130.253.90.146 17 8211 8211 0 0 0 0 local 7 FC
0 0 0 1 local FYC
130.253.21.25 130.253.90.146 17 8211 8211 0 0 0 0 tunnel 8 7 FY
0 0 0 1 tunnel 8 FY
130.253.21.25 130.253.90.146 47 0 0 0 0 0 0 tunnel 8 4 F
0 0 0 0 tunnel 8 F
130.253.21.25 130.253.90.146 17 123 2049 0 0 0 0 tunnel 8 c FY
0 0 0 1 tunnel 8 FY
130.253.21.26 130.253.90.146 17 123 2049 0 0 0 0 local c FC
0 0 0 1 local FYC
130.253.21.25 130.253.90.146 17 514 2049 0 0 0 0 tunnel 8 b FY
0 0 0 1 tunnel 8 FY
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Guru Elite

Firewall elements to open

Appendix B (page 591) of the ArubaOS 3.4 user guide has all the protocols you would need to open.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: