Wireless Access

Reply
Highlighted
Occasional Contributor I

RAP ACL Configuration

Hi, 

 

I'm having a few frustrations trying to create an ACL to only allow RAP traffic.

 

I have created an ACL to allow DHCP and any IP traffic to our two controllers. DHCP works okay and I can see ISAKMP Initiator Requests going out to the controller on Wireshark - but no response. As soon as I remove the ACL the response request comes through and the RAP finally builds its tunnel. I'm creating this ACL on a Cisco 3850 switch.

 

ip access-list extended 101
10 permit udp any any eq bootpc
20 permit ip any host #.#.#.# (IP of MC1)
30 permit ip any host #.#.#.# (IP of MC2)

 

Anyone have any ideas? Is there something I'm missing?

 

Thanks,


Accepted Solutions
Highlighted
Super Contributor II

Re: RAP ACL Configuration

Have you allowed the reverse traffic? ACLs are not stateful, in the way that you need to specify the return traffic in the rules as well. Can you allow the Controllers as a source to your RAPs in the ACL and try again?

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!

View solution in original post


All Replies
Highlighted
Super Contributor II

Re: RAP ACL Configuration

See this: https://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/Firewall_Port_Info.php 

 

Make sure you allow the ports specified in the document, and if the RAPs are terminating to a Public IP instead of the controller IP itself, you configure it properly.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Guru Elite

Re: RAP ACL Configuration

The list of ports is here:  https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/external-firewallconf/fire-port-conf-arub.htm

 

Since you have packet capture ability, you should capture what that RAP is doing to observe what it is trying to do.   Offhand, DNS comes to mind, but there could be other things that you are blocking (non-ip traffic), that might be essential and not listed on the page above.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Occasional Contributor I

Re: RAP ACL Configuration

Thanks for the responses. 

 

That's the problem - with Wireshark I should be able to see exactly what the RAP is doing and then rectify accordingly. I started with it quite tied down with just the required ports but that didn't work - same initiator request being sent with no response. I then allowed any IP traffic from the RAP which should capture any and all ports but can only see the Initiator Request outbound to the controller - I don't receive the response unless the ACL is removed. The response uses the same 4500 port that the initiator uses when it does work...

 

I've even given the RAP a static IP and have built an ACL around that so that any and all traffic is allowed from this IP - this too is exhibiting the same outcome as above.

Highlighted
Super Contributor II

Re: RAP ACL Configuration

Have you allowed the reverse traffic? ACLs are not stateful, in the way that you need to specify the return traffic in the rules as well. Can you allow the Controllers as a source to your RAPs in the ACL and try again?

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!

View solution in original post

Highlighted
Occasional Contributor I

Re: RAP ACL Configuration

Yep, that has done it

 

So even though this ACL is configured as 'out' I needed to put the reverse in the same ACL. 

 

Thanks for the help!

 

Bw,

Highlighted
MVP Guru

Re: RAP ACL Configuration

If you put it on the port where the AP is connected, the original ACL should be applied 'direction in', not out.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: