In many deployment scenarios, an external firewall is situated between Arubadevices. This appendix describes the network ports that need to be configured on the external firewall to allow proper operation of the Arubanetwork. You can also use this information to configure session ACLs to apply to physical ports on the controllerfor enhanced security. Note, however, that this appendix does not describe requirements for allowing specific types of user traffic on the network.
A controlleruses both its loopback address and VLAN addresses for communications with other network elements. If the firewall uses host-specific ACLS,those ACLs must specify all IP addresses used on the controller.
This appendix includes the following topics:
This section describes the network ports that need to be configured on the firewall to allow proper operation of the Aruba network.
Between any two controllers:
IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controlleris encapsulated in IPsec .
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
IKE (UDP 500).
ESP (protocol 50).
NAT-T (UDP 4500).
Between an AP and the master controller:
PAPI (UDP port 8211).If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.
From an AP to the LMS controller:
FTP (TCP port 21).
TFTP (UDP port 69) for AP-52. For all other APs, if there is no local image on the AP (for example, a brand new AP) the AP will use TFTP to retrieve the initial image.
NTP (UDP port 123).
SYSLOG (UDP port 514).
PAPI (UDP port 8211).
GRE (protocol 47).
Between a Remote AP (IPsec) and a controller:
NAT-T (UDP port 4500).
TFTP (UDP port 69)
TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image.
This section describes the network ports that need to be configured on the firewall to manage the Arubanetwork.
For WebUI access between the network administrator’s computer (running a Web browser) and a controller:
HTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343).
SSH (TCP port 22) or TELNET (TCP port 23).
For ArubaMobility Management System (MMS) access between the network administrator's computer (running a Web browser) and the MMS Server:
HTTPS (TCP port 443).
HTTP (TCP port 80).1
SSH (TCP port 22) for troubleshooting.
For SSL tunnels between MMS Servers in high availability configuration:
TCP 11312 (used for application messages).
TCP 11315 (used for database synchronization).
TCP 11873 (used for file synchronization).
For MMSaccess between the MMSServer and controllers:
SNMP (UDP ports 161 and 162).
PAPI (UDP port 8211 and TCP port 8211).
HTTPS (TCP port 443).
This section describes the network ports that need to be configured on the firewall to allow other types of traffic in the Aruba network. You should only allow traffic as needed from these ports.
For logging: SYSLOG (UDP port 514) between the controller and syslog servers.
For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP (TCP ports 21 and 22) between the controller and a software distribution server.
If the controlleris a PPTP VPN server, allow PPTP (UDP port 1723) and GRE (protocol 47) to the controller.
If the controlleris an L2TP VPN server, allow NAT-T (UDP port 4500), ISAKMP (UDP port 500) and ESP (protocol 50) to the controller.
If a third-party network management system is used, allow SNMP (UDP ports 161 and 162) between the network management system and all controllers. If the ArubaOSversion is earlier than 2.5, allow SNMP traffic between the network management system and APs.
For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812 and 813, or 1645 and 1646) between the controller and the RADIUS server.
For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP port 636) between the controller and the LDAP server.
For authentication with a TACACS+ server: TACACS (TCP port 49) between the controllerand the TACACS+ server.
For NTP clock setting: NTP (UDP port 123) between all controllersand the MMS server and NTP server.
For packet captures: UDP port 5555 from an AP to an Ethereal packet-capture station; UDP port 5000 from an AP to a Wildpackets packet-capture station.
For telnet access: Telnet (TCP port 23) from the network administrator's computer to any AP,if “telnet enable” is present in the “ap location 0.0.0" section of the controller configuration.
For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a controller and any ESI servers.
For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a controllerand an XML-API client.
1. Check the MMS release documentation for requirements, as this network port may not be required for future releases.