Wireless Access

Reply
Occasional Contributor II

Firewalls between devices (directionality of traffic)

I need to put a controller in a DMZ with a firewall separating it from the master as well as Clearpass.

All the documents I see have no directionality of traffic.  They say "between controllers" or "between controller and Clearpass".

In my world, firewall rules (and approvers) operate with a source and destination.

 

Does anyone have any information on the directionality?

 

http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Firewall_Port_Info.php

Guru Elite

Re: Firewalls between devices (directionality of traffic)

This is from what I currently know so it is far from official:

 

Communication Between Aruba Devices
This section describes the network ports that need to be configured on the firewall to allow proper operation of the Aruba network.

 

Between any two controllers (all of these should be bidirectional, because they could be initiated by either controller):

IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controlleris encapsulated in IPsec .

IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.

GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.

IKE (UDP 500).

ESP (protocol 50).

NAT-T (UDP 4500).

 

Between an AP and the master controller (all of these are from the AP to the controller except PAPI which is bidirectional):

PAPI (UDP port 8211).If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)

PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.

From an AP to the LMS controller:

FTP (TCP port 21).

TFTP (UDP port 69) for AP-52. For all other APs, if there is no local image on the AP (for example, a brand new AP) the AP will use TFTP to retrieve the initial image.

NTP (UDP port 123).

SYSLOG (UDP port 514).

PAPI (UDP port 8211).

GRE (protocol 47).

 

Between a Remote AP (IPsec) and a controller:

NAT-T (UDP port 4500).  - Bidirectional

TFTP (UDP port 69)        - AP To Controller

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: