@baboyero wrote:
Hello,
I have a controller that is trunked to a layer 3 switch. I would like to do the following:
1. Limit the access to the webconsole from a specific wired subnet only by using a firewall of the controller. How can I do this?
a) port based firewall?
b) vlan based firewall?
what is the advantage and disadvantage of either? Or which one would work better?
2. Assuming that there will be an entirely separate management network, and If my controller does not have a management interface, and if I set 1 regular controller port as a management port. assign it to a mgmt vlan and set an IP to this vlan. How can I do the following:
a) make sure that the non management port cannot be accessed for SSH, webconsole
b) make sure that there is no route between mgmt vlan and regular vlan
Thanks.
1. Try the solution here: http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Disabling-HTTP-fromt-he-administration/m-p/113953/highlight/true#M24406
(a) Port-Based Firewall
2. Use the suggestion in 1. Put (no ip routing) any ip VLAN interfaces that you don't want to route.
3. Remember to add an (allow all) at the end of your ACLs to permit any other traffic, besides what you are blocking
4. Test on a lab controller to make sure it does what you want
5. There is a service ACL feature in ArubaOS 6.3, but it would take some practice to use properly. The syntax is different from the typical aruba firewall policies. I would play with it in the lab to get the hang of it first.