Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Eliminating Chatty protocols

This thread has been viewed 0 times

  • 1.  Eliminating Chatty protocols

    Posted Oct 31, 2012 12:07 AM

    When you want to eliminate chatty protocols it is recommened to apply this on ROLES you using? and ALSO on the ports on my controller

     

    For example for my ROLES i would do this:

     

    im building a firewall policy called Chatty protocols

    with these parameters

     

     
    for deny_mDNS
    any any udp 5353 deny

    for deny_SSDP_and_UPnP_acl

    for deny_SSDP_and_UPnP_acl
    any host 239.255.255.250 any deny
    any host 239.255.255.253 any deny

     

    for deny_netbios_acl

    ip access-list session-acl deny_netbios_acl
    any any udp 137 deny
    any any udp 138 deny

    for deny_client_acting_as_server_acl

    ip access-list session deny_client_acting_as_server_acl
    deny_client_acting_as_server_acl
    user any udp 68 deny

    So the firewall rule named Deny Chatty protocols woult be like this

     

    any any udp 5353 deny

    any host 239.255.255.250 any deny
    any host 239.255.255.253 any deny

    any any udp 137 deny
    any any udp 138 deny

    user any udp 68 deny

     


    So on my roles would be something like this

    Role name: Aruba Users

    Inside that

    Firewall polices:

    1-Deny Chatty protocols

    2-Normal User ACLs

     

     

    I normally just had one firewall policy which was the user ACL for example where he was able to reach in the internal network and that kind of stuff... but i wanted to add also the part of elminating the chatty protocols...

     

     

     

    Now for the ports in my Wireless controller i would use a similar firewall policy  let say i named it blocked chattyprotocols


    for the wired part would be like this

     


    any any udp 5353 deny

    any host 239.255.255.250 any deny
    any host 239.255.255.253 any deny

    any any udp 137 deny
    any any udp 138 deny

    user any udp 68 deny

    user any any permit

     

     

    I just want to know if im doing it right, it is correct the way im doing it?

     

    Cheers

    Carlos



  • 2.  RE: Eliminating Chatty protocols

    EMPLOYEE
    Posted Nov 02, 2012 12:25 PM

    I think you are doing it right, and you are definately on the right track. There's really two separate ACLs, and can be summarized by "User --> LAN" and also "LAN --> User", and they won't always be mirrors of each other and won't always match. The real trick, and is something that try as I might I can never keep a unified list, is what each site/network admin consideres 'chatty'. It's a very iterative process, but I consider your approach sound, as you will invariably make changes over time as stuff breaks :)



  • 3.  RE: Eliminating Chatty protocols

    Posted Nov 02, 2012 12:29 PM

    Thanks man Im trying to implement all aruba recommendations... i dont have them all right now but in the future i want to implement WLAN network with ALL aruba recommendations.

     

    Thanks for asnwering!