Wireless Access

Reply
Super Contributor II

Protect the uplink interfaces on branch controllers

Hi!

 

We´re deploying branch controllers in 8.2.1.0 with internet facing uplink interfaces and we need to secure the interfaces from external access aswell as allow access from some public IPs. I´ve made an ACL that looks like this:

 

ip access-list session uplink-protection
any any svc-dhcp permit
alias public-management-ips any tcp 22 permit
alias public-management-ips any tcp 4343 permit
any any any deny
!

 

Then apply to the uplink interfaces like this:

interface gigabitethernet 0/0/2
description GE0/0/2
trusted
ip access-group session uplink-protection
trusted vlan 1-4094
!

 

Works like a charm on some sites, on two sites the tunnel access starts flapping and I see this in the logs of the branch controller:

Aug 15 08:39:53  cfgm[3589]: <399838> <3589> <WARN> |cfgm|  LmsHeartBeatResultAction: State(VPN_PRECONNECT:UPDATE SUCCESSFUL:CFGID-511:PEND-0:INITCFGID:0) FD=-1:Cannot heartbeat with the master.
Aug 15 08:40:23  cfgm[3589]: <399838> <3589> <WARN> |cfgm|  LmsHeartBeatResultAction: State(CONNECTINPROGRESS:UPDATE SUCCESSFUL:CFGID-511:PEND-0:INITCFGID:0) FD=27:Cannot heartbeat with the master.
Aug 15 08:40:23  cfgm[3589]: <399838> <3589> <WARN> |cfgm|  LmsHeartBeatResultAction: State(READY:UPDATE SUCCESSFUL:CFGID-511:PEND-0:INITCFGID:0) FD=27:Cannot heartbeat with the master.

Aswell as:

Aug 15 08:38:08  ofa: 00005|rconn|ERR|Aruba-SDN<->tcp:<IP-OF-MM>:6633: no response to inactivity probe after 15 seconds, disconnecting

As soon as I remove the ACL from the uplink interface the site stabilizes and works perfectly. Is there something wrong with the ACL? Would you write it differently to achieve my goals?

 

Cheers,

 

Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
Super Contributor II

Re: Protect the uplink interfaces on branch controllers

When I turn it around and write it like this it works perfectly to block management:

 

ip access-list session uplink-protection2

 

 any any svc-dhcp permit
 alias public-management-ips any tcp 22 permit
 alias public-management-ips any tcp 80 permit
 alias public-management-ips any tcp 443 permit
 alias public-management-ips any tcp 4343 permit
 any any tcp 22 deny
 any any tcp 443 deny
 any any tcp 80 deny
 any any tcp 4343 deny
 any any any permit
!
 
Although there are several other ports open on the controller, perhaps I should just do the same type of deny for all of them and end it with an any any any permit.
 
Anyone else protecting branch uplinks differently?
 
Cheers,
Christoffer Jacobsson | Aranya AB
Aruba Partner Ambassador
Aruba: ACMX #537 ACCP ACDP | CWNP: CWNE #306
New Contributor

Re: Protect the uplink interfaces on branch controllers

Hi Christoffer,

 

You should be able to use this ACL for the uplink, and modify it as needed.

 

ip access-list session wan-uplink-protect-acl
any any sys-svc-dhcp permit
any any sys-svc-v6-dhcp permit
any any sys-svc-esp permit
any any sys-svc-natt permit
any any sys-svc-ike permit
any any sys-svc-icmp permit
any any sys-svc-icmp6 permit

 

Under the interface you have the uplink add the below with correct uplink vlan id. 

 

ip access-group vlan 4093 session wan-uplink-protect

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: