Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Can I apply firewall rules to an Ethernet port on an 800 controller?

  • 1.  Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 07:14 AM

    Hi,

    I'm running an 800 mobility controller at home with a couple of AP-125's.

    Current setup has APs connected to an HP PoE switch (Gigabit ports) which alsohas  the gigabit port from my 800 controller and a 100Mbit feed to my broadband router.

     

    Given the fact that I can set up a role/policy/set of firewall rules for a user logging on via wireless, I was wondering if I might be able to move the broadband feed from the HP switch to one of the 100Mbit/s Ethernet ports on the 800 and apply firewall rules on the 800 to general traffic to/from the broadband router

     

    Rgds

    Alex

     



  • 2.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 07:29 AM

    Hi,

    :smileyhappy:

    **IF U JUST WANT TO ENABLE FIREWALL ON PORT/VLAN  - JUST ADD ACL PROFILE to your VLAN/PORT**

     You can if you are using different vlans for each tunnel. You can apply the aaa profile right on the vlan itself.

    Untitled.png

     

     

    ANOTHER METHOD:

     

    You can enable Wired port ACL profile and mark the port as unstrusted. (IF U WANT TO AUTH USERS TRAFFIC VIA THIS PORT)

     

     

     

    AAA USERS/DEVICES VIA WIRED PORT - the controller considers IP connections from "untrusted" ports to be defined by the configuration within the "aaa authentication wired" global controller context. Within it, you can select a AAA profile, which determines an initial role of inbound traffic/devices/users etc. That initial role is how IP connections from a device on an untrusted port is handled (much like the way a AAA applies to a VAP).

     

    I.e. if you setup an appropriate role within a AAA profile, and put it in the "aaa authentication wired" context, you should get the result you want.

     

    280x121.jpg

     

     

     

    Have a lovley day.:smileywink:

     

    me

     

     



  • 3.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 07:38 AM

    zshusveti IS RIGHT! :smileyhappy:



  • 4.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 07:41 AM

    @kdisc98 wrote:

    Hi,

    :smileyhappy:

    You can enable Wired port ACL profile and mark the port as unstrusted.

     

    Assuming your software level isn't too old, the controller considers IP connections from "untrusted" ports to be defined by the configuration within the "aaa authentication wired" global controller context. Within it, you can select a AAA profile, which determines an initial role of inbound traffic/devices/users etc. That initial role is how IP connections from a device on an untrusted port is handled (much like the way a AAA applies to a VAP).

     

    I.e. if you setup an appropriate role within a AAA profile, and put it in the "aaa authentication wired" context, you should get the result you want.

     

    ALSO:

     

    You can if you are using different vlans for each tunnel. You can apply the aaa profile right on the vlan itself. For this to go into effect you will need to have the tunnel in your dmz set to the untrusted port.

     

    vlan 192 wired aaa-profile "guest-wired-profile"

     

    Have a lovley day.:smileywink:

     

    me

     

     


    Are you sure that it is needed to make the port untrusted? As far as I know it is only needed if you want authentication on the interface  hence the need for the AAA profile.

    If you simply add firewall policy to the interface then authentication is not needed and the traffic will be filtered.



  • 5.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 07:45 AM

    You right.:smileywink:

     

    It's depands - what he is trying to achive - i gave him the two possiablites.

    Knowlege/info/tips give us the ability to imporve our deploments - and offer more to our clients.

     

    Me



  • 6.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Apr 18, 2013 02:56 AM
    As per your attached screen shot, The ACL policy is applied to the port, no matter port is mark as trusted or non-trusted.
    As in screenshot port is marked as trusted and you also applied ACL policy to that port.


  • 7.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Apr 18, 2013 04:29 AM

    To apply the ACL without authentication:

     

    ip access-list session dhcp-only
    any any svc-dhcp permit
    any any any deny
    interface fastethernet 1/0
    ip access-group dhcp-only session

     

    This will allow your controller to obtain a DHCP address, but not allow any traffic from outside to be initiated unless it is in response to traffic from inside.

     



  • 8.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 07:32 AM

    Yes, you can apply firewall policies to the network interfaces (physical or VLAN). You can do this on the GUI at Configuration/Netowrk/Ports menu.

    Create your firewall policies first and simply apply it to the interface and it should do the job.



  • 9.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 09:26 AM

    Many thanks for the replies. I'll have a play tonight when I get home

    Rgds

    Alex

    BTW running 5.0.4.11which AFAIK is the latest ArubaOS for the 800

     



  • 10.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 18, 2013 09:28 AM

    Our Mission is to help who everHEADS needs :smileywink: Update us if it's worked for u - or more info needed



  • 11.  RE: Can I apply firewall rules to an Ethernet port on an 800 controller?

    Posted Mar 27, 2013 12:59 PM

    Many thnks for the suggestions. I only want to apply acls to the port as its a feed to my broadband router so I don;t need to do any auithentication (at present)

    Rgds

    Alex