Remote Networking

Contributor I

What is the ap-uplink-acl, and how does it work?

Appologies for bringing this issue back to life, but I would love to really understand how bridge mode works.

From the previous post, should I understand that the "ap-uplink-acl" is the one that states what stays bridged locally and what goes tunneled up to the controller?

A colleage of mine was actually having related issues where TCP 7778 was not being properly managed and its traffic being dropped while wired users could reach that server easily. DHCP was provided locally. Now he added an allow-all entry into the "ap-uplink-acl" and everything works.

What did he actually do? Did he make all traffic to go tunneled up to the controller? Did I missunderstood and perhaps the acl tells you which traffic is allowed to come out locally bridged? If so, what is the role acl for then?

Feeliing confused here. Split-tunnel mode comes to my mind resembling this behaviour closely. :S
Guru Elite

Re: What is the ap-uplink-acl, and how does it work?

If a user is in "Bridged" mode, all traffic is sent out the ethernet port of the access point and NO traffic is sent back to the controller on an ipsec tunnel. It is used so that users on an access point will always get an ip address and send traffic on the local port that the access point is on.

The ap-uplink-acl is used on an access point whose users are in bridged mode and determines what traffic can be sent to the users on that access point that is doing the bridging. It functions as a firewall policy to protect the users on an access point that is deployed remotely. By default, the ap-unlink-acl only allows DHCP traffic and bonjour traffic to flow from the local network into the AP and to the clients on that access point. The users can still send any traffic that that is allowed in their role, but no traffic will be sent to users unless it was initiated by the users, EXCEPT for what is in that ACL.

Why you would want to change that ACL:

If you have remote control software and you want to remote control those clients, you want to add the protocol for that remote control software to the ap-uplink-acl since it is incoming traffic that is not initiated by clients. In other words, any traffic that you want clients to receive, that is not initiated by clients, you want to "whitelist" on that ACL.

I hope that helps..

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: