Wireless Access

Reply
Contributor II
Posts: 72
Registered: ‎05-22-2011

Securing Controller Ports

Hello,

 

I have a controller that is trunked to a layer 3 switch. I would like to do the following:

 

1. Limit the access to the webconsole from a specific wired subnet only by using a firewall of the controller. How can I do this?

 

a) port based firewall?

b) vlan based firewall?

 

what is the advantage and disadvantage of either? Or which one would work better?

 

2. Assuming that there will be an entirely separate management network, and If my controller does not have a management interface, and if I set 1 regular controller port as a management port. assign it to a mgmt vlan and set an IP to this vlan. How can I do the following:

 

a) make sure that the non management port cannot be accessed for SSH, webconsole

b) make sure that there is no route between mgmt vlan and regular vlan

 

Thanks.

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Securing Controller Ports


baboyero wrote:

Hello,

 

I have a controller that is trunked to a layer 3 switch. I would like to do the following:

 

1. Limit the access to the webconsole from a specific wired subnet only by using a firewall of the controller. How can I do this?

 

a) port based firewall?

b) vlan based firewall?

 

what is the advantage and disadvantage of either? Or which one would work better?

 

2. Assuming that there will be an entirely separate management network, and If my controller does not have a management interface, and if I set 1 regular controller port as a management port. assign it to a mgmt vlan and set an IP to this vlan. How can I do the following:

 

a) make sure that the non management port cannot be accessed for SSH, webconsole

b) make sure that there is no route between mgmt vlan and regular vlan

 

Thanks.


1.  Try the solution here:  http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Disabling-HTTP-fromt-he-administration/m-p/113953/highlight/true#M24406

(a) Port-Based Firewall

2.  Use the suggestion in 1.  Put (no ip routing) any ip VLAN interfaces that you don't want to route.

3.  Remember to add an (allow all) at the end of your ACLs to permit any other traffic, besides what you are blocking

4.  Test on a lab controller to make sure it does what you want

5.  There is a service ACL feature in ArubaOS 6.3, but it would take some practice to use properly.  The syntax is different from the typical aruba firewall policies.  I would play with it in the lab to get the hang of it first.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: Securing Controller Ports

Does the port need to be untrusted in order for the acl work? I am using 6.1 OS by the way.

Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Securing Controller Ports

No.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: