Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Firewall between AP and controller.

Jump to Best Answer
  • 1.  Firewall between AP and controller.

    Posted Feb 25, 2013 11:41 PM



    From user-guide

    Between an AP and the controller:

    1 FTP (TCP port 21).

    2. TFTP (UDP port 69) 
    3. NTP (UDP port 123).
    4. SYSLOG (UDP port 514).
    5. PAPI (UDP port 8211).
    6. GRE (protocol 47).


    what ports to be opened from controller subnet to the AP subnet?

    If CPSEC is enabled, NAT-T port UDP 4500 has to be open on either direction, between AP and controller, right?


    would all the above 6 traffic flows, gets inside the ipsec, when CPSEC is enabled? i can just allow the NAT-T port udp 4500 alone on the firewall bidirectional between AP and controller?



  • 2.  RE: Firewall between AP and controller.

    Posted Feb 26, 2013 04:35 AM

    ** Read Giles Post - He fixed my answer - With the right answer and the current info **


    The port list staying the same for RemoteAP or CampusAP:

    Between Campus AP (GRE) and LMS Controller
    FTP (tcp/20 and tcp/21)
    TFTP (udp 69) – (for AP-52; for all other AP’s, if there is no local image on the AP, e.g. a brand new AP, the
    AP will use TFTP to retrieve initial image)
    NTP (udp/123)
    SYSLOG (udp/514)
    PAPI (udp/8211)
    GRE (protocol 47)
    Between Remote AP (IPSec) and Controller
    NAT-T (udp/4500)
    TFTP (UDP/69) - note: Not needed for normal operation. If the RAP looses the local image for whatever
    reason, TFTP is used to download the latest image.



    Thanks Giles. :smileywink: ( A day that you dont learn something new - it's a wasted day)

  • 3.  RE: Firewall between AP and controller.

    Posted Feb 26, 2013 06:18 AM



    I know how this stuff works and you really confused me!


    "When CPSEC enabled - each whitelisted or allowed AP get certiface from the controller itself."


    This is not true, all 'new' AP's have a TPM module which stores a factory certificate, so it does not need to get a certificate from the controller, old AP's which don't support TPM modules can be downloaded from the controller.



    The idea behind CPsec - Control Plane security is to protect the control plane so that we can support bridge mode PSK etc.

    i.e. when we send a key to the AP we don't send it in clear text but inside IPSec to the AP.


    So the only thing which is inside CPSec (which is IPSec or NAT-T - UDP 4500) is our propitiatory protocol PAPI (UDP port 8211).


    I would leave the ports listed open if possible as any new AP coming up will have to use these before it can become a CPSec AP.



  • 4.  RE: Firewall between AP and controller.
    Best Answer

    Posted Feb 26, 2013 02:34 PM

    We have a stateful firewall and find that the list you have is correct for AP to Controller, and the stateful firewall allows responses.

    From the controller to the AP you'll need 8211 open.


    The GRE tunnel we pass in both direction stateless to reduce overhead.



  • 5.  RE: Firewall between AP and controller.

    Posted Mar 06, 2013 06:32 AM

    Thank you all. I got the idea. 


    Stateful firewall, does open the reverse traffic from controller to AP automatically, for the communication initiated from AP to the controller.



  • 6.  RE: Firewall between AP and controller.

    Posted Jul 27, 2017 03:46 AM

    So the user guide is wrong, it has to add a new entry on the bullet point list with IPSEC (ESP -  ip 50)?

  • 7.  RE: Firewall between AP and controller.

    Posted Jul 27, 2017 05:38 AM