Wireless Access

Reply
Frequent Contributor I
Posts: 68
Registered: ‎05-16-2012

Necessary firewall rules between Access Point and Controller with directions

Hi Airheads experts,

 

Please help me to clear this topic. I need the exact firewall rules with directions between the APs and the controller. I search in Airheads, userguide and hardening guide as well but there are only a list of ports. I need in the following form. Forexample:

scr: AP dst: controller service: DHCP

scr: AP dst: controller service: PAPI

scr: AP dst: controller service: FTP, TFTP

scr: AP dst: controller service: GRE

scr: AP dst: controller service: udp 4500

or some policy is both direction etc.

 

Thank you in advance for your reply!

Zs

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Necessary firewall rules between Access Point and Controller with directions

Where are you applying this ACL? On the controller itself or on your firewall ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 68
Registered: ‎05-16-2012

Re: Necessary firewall rules between Access Point and Controller with directions

On the firewall.

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Necessary firewall rules between Access Point and Controller with directions

In that case I suggest you post the question in your firewall vendor's forum to get exact command syntax to implement what you are trying to do.

This can also be implemented on the Aruba controller firewall if you need to, if you decide to use the controller firewall we can provide you the commands to allow those ports
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 68
Registered: ‎05-16-2012

Re: Necessary firewall rules between Access Point and Controller with directions

Hi Victor,

I need the exact firewall rules in general schematic form. I am familiar with firewalls, thus I will be know the cli.

So who start the communication this is important in an stateful operation. In ClearPass or AirWave guides there are a gorgeous table (please see the attached file) and I need like that and I think this is very useful for others as well (the ports is documented but the directions don't). So If someone can give me the following form I will be grateful.

source: destination: service:

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Necessary firewall rules between Access Point and Controller with directions

Ohh I see , I think I misunderstood your initial request

Here you go:
http://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Firewall_Port_Info.php
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 68
Registered: ‎05-16-2012

Re: Necessary firewall rules between Access Point and Controller with directions

Thank you Victor!

If I see well the following ports and directions have to setup on the firewall, to the connection will be good. And it can be said that all of the following connections initiate from the AP itself.

Please correct it if it is wrong.

 

source: AP, destination: controller, service: DHCP

source: AP, destination: controller, service: PAPI

source: AP, destination: controller, service: FTP, TFTP

source: AP, destination: controller, service: GRE

source: AP, destination: controller, service: udp 4500

source: AP, destination: controller, service: NTP

source: AP, destination: controller, service: SYSLOG

 

If I turn on the CPSEC do I need to allow ntp and syslog traffic or those are going through the IPSEC tunnel as well as the others?

 

Thank you!

Zs

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Necessary firewall rules between Access Point and Controller with directions

That's correct
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I
Posts: 68
Registered: ‎05-16-2012

Re: Necessary firewall rules between Access Point and Controller with directions

Thank you for your help and work!

 

Br.,

Zs

Contributor I
Posts: 34
Registered: ‎09-17-2014

Re: Necessary firewall rules between Access Point and Controller with directions

Will this work if the a filter is applied on a switch port in which the AP connects?

 

So for example, if an AP is connected to a Juniper switch (EX4300) and I apply a filter to only allow the required ports/protocols for communication between AP and controllers (master and LMS) will that work?

 

Does the communication require a stateful connection? I will post the switch config momentarily.

 

Thanks,

hlavender

Search Airheads
Showing results for 
Search instead for 
Did you mean: