Wireless Access

last person joined: 20 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP ACL Configuration

This thread has been viewed 9 times

  • 1.  RAP ACL Configuration

    Posted Sep 29, 2020 07:47 AM

    Hi, 

     

    I'm having a few frustrations trying to create an ACL to only allow RAP traffic.

     

    I have created an ACL to allow DHCP and any IP traffic to our two controllers. DHCP works okay and I can see ISAKMP Initiator Requests going out to the controller on Wireshark - but no response. As soon as I remove the ACL the response request comes through and the RAP finally builds its tunnel. I'm creating this ACL on a Cisco 3850 switch.

     

    ip access-list extended 101
    10 permit udp any any eq bootpc
    20 permit ip any host #.#.#.# (IP of MC1)
    30 permit ip any host #.#.#.# (IP of MC2)

     

    Anyone have any ideas? Is there something I'm missing?

     

    Thanks,



  • 2.  RE: RAP ACL Configuration

    MVP GURU
    Posted Sep 29, 2020 07:55 AM

    See this: https://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Firewall_Port_Info.php 

     

    Make sure you allow the ports specified in the document, and if the RAPs are terminating to a Public IP instead of the controller IP itself, you configure it properly.

     

     



  • 3.  RE: RAP ACL Configuration

    EMPLOYEE
    Posted Sep 29, 2020 07:56 AM

    The list of ports is here:  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/external-firewallconf/fire-port-conf-arub.htm

     

    Since you have packet capture ability, you should capture what that RAP is doing to observe what it is trying to do.   Offhand, DNS comes to mind, but there could be other things that you are blocking (non-ip traffic), that might be essential and not listed on the page above.



  • 4.  RE: RAP ACL Configuration

    Posted Sep 29, 2020 08:10 AM

    Thanks for the responses. 

     

    That's the problem - with Wireshark I should be able to see exactly what the RAP is doing and then rectify accordingly. I started with it quite tied down with just the required ports but that didn't work - same initiator request being sent with no response. I then allowed any IP traffic from the RAP which should capture any and all ports but can only see the Initiator Request outbound to the controller - I don't receive the response unless the ACL is removed. The response uses the same 4500 port that the initiator uses when it does work...

     

    I've even given the RAP a static IP and have built an ACL around that so that any and all traffic is allowed from this IP - this too is exhibiting the same outcome as above.



  • 5.  RE: RAP ACL Configuration
    Best Answer

    MVP GURU
    Posted Sep 29, 2020 08:22 AM

    Have you allowed the reverse traffic? ACLs are not stateful, in the way that you need to specify the return traffic in the rules as well. Can you allow the Controllers as a source to your RAPs in the ACL and try again?

     

     



  • 6.  RE: RAP ACL Configuration

    Posted Sep 29, 2020 08:40 AM

    Yep, that has done it

     

    So even though this ACL is configured as 'out' I needed to put the reverse in the same ACL. 

     

    Thanks for the help!

     

    Bw,



  • 7.  RE: RAP ACL Configuration

    EMPLOYEE
    Posted Sep 30, 2020 08:25 AM

    If you put it on the port where the AP is connected, the original ACL should be applied 'direction in', not out.