Which network ports must be configured on the firewall to allow other types of traffic in the Aruba network?
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
· For logging: SYSLOG (UDP port 514) between the mobility controller and syslog servers.
· For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP (TCP ports 20 and 21) between the mobility controller and a software distribution server.
· If the mobility controller is a PPTP VPN server, allow PPTP (UDP port 1723) and GRE (protocol 47) to the mobility controller.
· If the mobility controller is an L2TP VPN server, allow NAT-T (UDP port 4500), ISAKMP (UDP port 500), and ESP (protocol 50) to the mobility controller.
· If a third-party network management system is used, allow SNMP (UDP ports 161 and 162) between the network management system and all mobility controllers. If the ArubaOS version is earlier than 2.5, allow SNMP traffic between the network management system and APs.
· For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812 and 813, or 1645 and 1646) between the mobility controller and the RADIUS server.
· For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP port 636) between the mobility controller and the LDAP server.
· For authentication with a TACACS+ server: TACACS (TCP port 49) between the mobility controller and the TACACS+ server.
· For NTP clock setting: NTP (UDP port 123) between all mobility controllers and the MMS server and the NTP server.
· For packet captures: UDP port 5555-5560 from an AP to an Ethereal packet-capture station; UDP port 5000 from an AP to a WildPackets packet-capture station; AirMagnet Enterprise analyzer UDP port 2500-2501
· For telnet access: Telnet (TCP port 23) from the network administrator's computer to any AP if "telnet enable" is present in the "ap location 0.0.0" section of the mobility controller configuration.
· For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a mobility controller and any ESI servers.
· For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a mobility controller and an XML-API client.
· For IP address: allow DHCP UDP ports 67 and 68.
· For time management: allow NTP UDP ports 123.
· For logging messages: allow syslog port UDP 514.
· For APs to come on the controller: PAPI udp port 8211 and GRE protocol number 47.
· For remote APs to come on the controller: TFTP udp port 69 (when the AP has corrupted image) and NAT-T udp port 4500. (After the RAP IPSsec connection is formed, all PAPI/GRE are tunneled through this IPsec nat-t session.)
· For communications between controllers, the following ports should be opened:
o IKE UDP port 500
o ESP protocol 50
o NAT-T UDP port 4500
o PAPI UDP and TCP port 8211
o IP-IP Protocol 94: for IP mobility between master-local and local-local
· For the communication between MMS and controllers:
o SNMP UDP ports 161 and 162
o PAPI UDP and TCP port 8211
o HTTPS TCP port 443