Re: Necessary firewall rules between Access Point and Controller with directions

Now that I think about it...I guess it doesn't matter? TCP is connection oriented.

Why don't you try it on a single port and let us know?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Below if the firewall filter created on the Juniper switch. It is currently applied to just one switch port. When applied, the AP goes to a "down" status. Once removed, the AP comes back up. Not sure if anyone has tried this before and was successful? Added the multicast group as a last ditch effort.

firewall {
family ethernet-switching {
filter WAP-in {
term aruba-ap_udp {
from {
destination-port [ bootps dhcp tftp 8211 domain syslog 4500 ntp 53 ];
ip-protocol udp;
}
then accept;
}
term aruba-ap_udp_s {
from {
source-port 8211;
ip-protocol udp;
}
then accept;
}
term aruba-ap_tcp {
from {
destination-port ftp;
ip-protocol tcp;
}
then accept;
}
term aruba-ap_gre {
from {
ip-protocol gre;
}
then accept;
}
term permit-ping {
from {
icmp-type [ echo-reply unreachable ];
ip-protocol icmp;
}
then accept;
}
term permit-tcp_est {
from {
tcp-established;
ip-protocol tcp;
}
then accept;
}
term aruba-adp {
from {
ip-destination-address {
239.0.82.0/24;
}
ip-protocol udp;
}
then accept;
}
term default-deny {
then {
discard;
log;
count WAP-denied;
}
}
}

Thanks,

hlavender

Just curious, why are you doing an ACL for the AP? The access points are hardened and traffic is tunneled back to the controller.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

The customer has requested for the ports to be locked down since the AP's will be in an untrusted or common area. It's actually a little more to it than just that but that's the request in a nutshell.

Is the concern that someone would unplug the AP and connect another device?

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Yes.

Basic 802.1X authentication solves that problem without the concern of using up all your ACE entries in the switch.

If the AP were to be unplugged, the port would effectively reset and the next device that is plugged in would have to pass 802.1X or other authorization methods.

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

Highlighted

Hhmmm, I didn't think about that. We have configured 802.1x currently on the wire so that may be an option.

Otherwise, any thoughts on acl's on switchports? This may still be the way they would like to go.

Issue resolved...for the most part.

The AP, which is an AP-325 was getting stuck while attempting to upgrade the software. During a wireshark packet capture, it was determined that passive FTP was being used. Since this uses "random" ports, the firewall filter on the Juniper EX4300 needed to be tweaked to allow this.

Made adjustments and now it works...the for most part bit was that additional ports are required for this to work. This would have been easier if this was passing through a firewall in flow mode or application layer firewall.

Anyhoo.

-hlavender

Wireless Access