Original Message:
Sent: Apr 14, 2024 07:54 PM
From: ariyap
Subject: Ports between gateway and aps in aruba os 10
if the AOS10 AP has tunnel or mixed mode forwarding configured then the only ports between AP and the gateway is UDP/4500 and IPSEC proto 47.
bldg-b# sh datapath session | incl 192.168.1.243
192.168.1.243 10.10.10.30 47 0 0 0 0 40 0 local e8e 6 2328 pi
10.10.10.30 192.168.1.243 47 0 0 0 0 40 0 local e8e c 4824 pi
10.10.10.30 192.168.1.243 17 4500 4500 0 0 48 0 local e9d 4b5 37614 FC
192.168.1.243 10.10.10.30 17 4500 4500 0 0 46 0 local e9d 46b 33a8c F
bldg-b#
Here is the AOS10 Hardening guide for your reference.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Apr 14, 2024 12:12 AM
From: cdelarosa
Subject: Ports between gateway and aps in aruba os 10
Hello Anyone?
do i need to open just the port 4500 udp and 443 between the controller and the ap in the aruba os 10?
The gre protocol is not needed anymore?
also the other ports are not needed too because it can download the firmware directly from aruba central ? i mean of course I need to ports and the URLs to be opened from the ap or gateway to aruba central for this.
Original Message:
Sent: Apr 12, 2024 06:04 PM
From: cdelarosa
Subject: Ports between gateway and aps in aruba os 10
Hello
I was wondering if the ports are this ones?
Communication Between APs and the Managed Device
APs use Trivial File Transfer Protocol (TFTP) during their initial boot to grab their software image and configuration from the managed device. After the initial boot, the APs use FTP to retrieve their software images and configurations from the managed device. In many deployment scenarios, an external firewall is situated between various Aruba devices.
Configure the following ports to enable communication between an AP and the managed device:
PAPI (UDP port 8211). If the AP uses DNS to discover the LMS managed device, the AP first attempts to connect to Mobility Master. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to Mobility Master.
FTP (TCP port 21)
TFTP (UDP port 69). All campus APs; If there is no local image on the AP or if the image needs to be upgraded (for example, a new AP), the AP will use TFTP to retrieve the initial image. For remote APs, upgrade the image only by FTP and not TFTP.
SYSLOG (UDP port 514)
PAPI (UDP port 8211)
GRE (protocol 47)
Control Plane Security (CPsec) uses UDP port 4500
im missing any port or I don t need port of this list? between the gateway in aruba os 10 and the ap that its doing tunnel mode?