Wireless Access

Reply
MVP
Posts: 2,958
Registered: ‎10-25-2011

Eliminating Chatty protocols

[ Edited ]

When you want to eliminate chatty protocols it is recommened to apply this on ROLES you using? and ALSO on the ports on my controller

 

For example for my ROLES i would do this:

 

im building a firewall policy called Chatty protocols

with these parameters

 

 
for deny_mDNS
any any udp 5353 deny

for deny_SSDP_and_UPnP_acl

for deny_SSDP_and_UPnP_acl
any host 239.255.255.250 any deny
any host 239.255.255.253 any deny

 

for deny_netbios_acl

ip access-list session-acl deny_netbios_acl
any any udp 137 deny
any any udp 138 deny

for deny_client_acting_as_server_acl

ip access-list session deny_client_acting_as_server_acl
deny_client_acting_as_server_acl
user any udp 68 deny

So the firewall rule named Deny Chatty protocols woult be like this

 

any any udp 5353 deny

any host 239.255.255.250 any deny
any host 239.255.255.253 any deny

any any udp 137 deny
any any udp 138 deny

user any udp 68 deny

 


So on my roles would be something like this

Role name: Aruba Users

Inside that

Firewall polices:

1-Deny Chatty protocols

2-Normal User ACLs

 

 

I normally just had one firewall policy which was the user ACL for example where he was able to reach in the internal network and that kind of stuff... but i wanted to add also the part of elminating the chatty protocols...

 

 

 

Now for the ports in my Wireless controller i would use a similar firewall policy  let say i named it blocked chattyprotocols


for the wired part would be like this

 


any any udp 5353 deny

any host 239.255.255.250 any deny
any host 239.255.255.253 any deny

any any udp 137 deny
any any udp 138 deny

user any udp 68 deny

user any any permit

 

 

I just want to know if im doing it right, it is correct the way im doing it?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 1,302
Registered: ‎11-07-2008

Re: Eliminating Chatty protocols

I think you are doing it right, and you are definately on the right track. There's really two separate ACLs, and can be summarized by "User --> LAN" and also "LAN --> User", and they won't always be mirrors of each other and won't always match. The real trick, and is something that try as I might I can never keep a unified list, is what each site/network admin consideres 'chatty'. It's a very iterative process, but I consider your approach sound, as you will invariably make changes over time as stuff breaks :)

Jerrod Howard
Sr. Techical Marketing Engineer
MVP
Posts: 2,958
Registered: ‎10-25-2011

Re: Eliminating Chatty protocols

Thanks man Im trying to implement all aruba recommendations... i dont have them all right now but in the future i want to implement WLAN network with ALL aruba recommendations.

 

Thanks for asnwering!

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: