Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

What is the function of service ACL in 6.3? (or) How do I block selected protocols and services ingress into controller, regardless of ingress port or vlan? 

Jun 29, 2014 09:34 PM

Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 6.3.0.0 or higher.

 

Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. ArubaOS provides the following types of ACLs:
 
  • Standard ACLs
  • Extended ACLs
  • MAC ACLs
  • Ethertype ACLs
  • Service ACLs
Service-ACL is a way to restrict the use of selected protocols and services from specific hosts and subnets to the controller. Rules within this ACL will be applied to all traffic on the controller, regardless of the ingress port or VLAN.

(Note: Rules within these ACL's also applies to traffic originating from wireless clients, that is encapsulated in a GRE tunnel between AP and controller)

Service-ACLs pre-defined in ArubaOS protects the control plane from an attack and ensures WLAN uptime. However these ACLs are not cutomizable and do not suit to every customer deployment. Inorder to tighten these ACLs based on customer's environment, Aruba has made enhancements in ArubaOS 6.3.0.0, so that customer may create rules in addition to the pre-defined list.


With the 6.3.0.0 ArubaOS release, the Control Plane Firewall supports below features:
 
  • Supports IPv4 and IPv6
  • Extends existing cp-firewall functionality with IPv4 and IPv6 source address fields
  • Firewall-cp rules will be applied to all traffic on the controller regardless of the ingress port or VLAN.
  • The rule set applies to all configured interfaces no the controller.
  • Rules will apply to interfaces that are configured via DHCP even if their IP address changes after boot time.
  • Users may create rules in addition to the predefined list, using CLI or GUI.
  • User-defined rules will take precedence over the predefined list.

Care should be taken not to define rules that degrade network capability by restricting traffic on ports, essential for basic operations. Some commonly used services are listed as below:

 
FTP
File Transfer Protocol
HTTP
Hypertext Transfer Protocol
HTTP
Secure HTTP
ICMP
Internet Control Message Protocol
SNMP
Simple Network Management Protocol
SSH
Secure Shell
Telnet
Telnet Protocol
TFTP
Trivial File Transfer Protocol

Below are the commands to look for control plane firewall rules:


For predefined control plane firewall rules:  "show firewall-cp intenal"


rtaImage.jpg


For user defined control plane firewall rules:  "show firewall-cp"


rtaImage.jpg


NOTE: Customers with existing user-defined rules for cp firewall will need to either edit their configuration to adhere to the new cp firewall syntax or need to recreate their entries via CLI or GUI.

 

Statistics
0 Favorited
11 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.