firewall

firewall

{allow-tri-session|amsdu|attack-rate {cp <rate>|ping <number>|session <number>}|broadcast-filter-arp |clear-sessions-role-update|cp|bwcontracts-subnet-broadcast|cp-bandwidth-contract|tcp-syn <number>|bwcontracts-subnet-broadcast |deny-inter-user-bridging |deny-inter-user-traffic|disable-ftp-server |disable-ftp-server| disable-stateful-h323| disable-stateful-sccp-processing|disable-stateful-sip-processing |disable-stateful-ua-processing|disable-stateful-vocera-processing|drop-ip-fragments
|enable-per-packet-logging |enforce-tcp-handshake|enforce-tcp-sequence|gre-call-id-processing
|local-valid-users|log-icmp-error|prohibit-arp-spoofing|prohibit-ip-spoofing |prohibit-rst-replay
|session-idle-timeout <seconds>|session-mirror-destination {ip-address <ipaddr>
|port <slot>/<port>}|shape-mcastfirew|voip-wmm-content-enforcement}

Description

This command configures firewall options on the controller.

Syntax

Parameter

Description

Range

Default

allow-tri-session

Allows three-way session when performing destination NAT. This option should be enabled when the controller is not the default gateway for wireless clients and the default gateway is behind the controller. This option is typically used for captive portal configuration.

disabled

amsdu

Aggregated Medium Access Control Service Data Units (AMSDU) packets are dropped if this option is enabled.

 

disabled

attack-rate

Sets rates which, if exceeded, can indicate a denial of service attack.

broadcast-filter-arp

If enabled, all broadcast ARP requests are converted to unicast and sent directly to the client. You can check the status of this option using the show ap active and the show datapath tunnel command. If enabled, the output will display the letter a in the flags column.

disabled

bwcontracts-subnet-broadcast

Applies bw contracts to local subnet broadcast traffic.

 

clear-sessions-role-update

This clears the datapath sessions when roles are updated.

cp

See firewall cp

 

 

cp-bandwidth-contract

See firewall cp-bandwidth-contract

 

 

deny-inter-user-bridging

Prevents the forwarding of Layer2 traffic between wired or wireless users. You can configure user role policies that prevent Layer3 traffic between users or networks but this does not block Layer2 traffic. This option can be used to prevent traffic, such as Appletalk or IPX from being forwarded. If enabled, traffic (all non-IP traffic) to untrusted port or tunnel is also blocked.

disabled

deny-inter-user-traffic

Denies downstream traffic between users in a wireless network (untrusted users) by disallowing layer2 and layer3 traffic. This parameter does not depend on the deny-inter-user-bridging parameter being enabled or disabled.

 

disabled

disable-ftp-server

Disables the FTP server on the controller. Enabling this option prevents FTP transfers.

Enabling this option could cause APs to not boot up. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

disable-stateful-h323-
processing

Disables stateful H.323 processing.

disabled

disable-stateful-sccp-processing

Disables SCCP processing.

disabled

disable-stateful-sip-processing

Disables monitoring of exchanges between a voice over IP or voice over WLAN device and a SIP server. This option should be enabled only when thee is no VoIP or VoWLAN traffic on the network.

disabled

disable-stateful-ua-processing

Disables stateful UA processing.

disabled

disable-stateful-vocera-processing

Disables stateful VOCERA processing.

disabled

drop-ip-fragments

When enabled, all IP fragments are dropped. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

enable-per-packet-logging

Enables logging of every packet if logging is enabled for the corresponding session rule. Normally, one event is logged per session. If you enable this option, each packet in the session is logged. You should not enable this option unless instructed to do so by an Aruba representative, as doing so may create unnecessary overhead on the controller.

disabled

enforce-tcp-handshake

Prevents data from passing between two clients until the three-way TCP handshake has been performed. This option should be disabled when you have mobile clients on the network as enabling this option will cause mobility to fail. You can enable this option if there are no mobile clients on the network.

disabled

enforce-tcp-sequence

Enforces the TCP sequence numbers for all packets.

disabled

gre-call-id-processing

Creates a unique state for each PPTP tunnel. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

local-valid-users

Adds only IP addresses, which belong to a local subnet, to the user-table.

disabled

log-icmp-error

Logs received ICMP errors. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

prohibit-arp-spoofing

Detects and prohibits arp spoofing. When this option is enabled, possible arp spoofing attacks are logged and an SNMP trap is sent.

disabled

prohibit-ip-spoofing

Detects IP spoofing (where an intruder sends messages using the IP address of a trusted client). When this option is enabled, source and destination IP and MAC addresses are checked; possible IP spoofing attacks are logged and an SNMP trap is sent.

disabled

prohibit-rst-replay

Closes a TCP connection in both directions if a TCP RST is received from either direction. You should not enable this option unless instructed to do so by an Aruba representative.

disabled

session-idle-timeout

Time, in seconds, that a non-TCP session can be idle before it is removed from the session table. You should not modify this option unless instructed to do so by an Aruba representative.

16-259

15 seconds

session-mirror-destination

Destination to which mirrored packets are sent. This option is used only for troubleshooting or debugging.

Packets can be mirrored in multiple ACLs, so only a single copy is mirrored if there is a match within more than one ACL.

You can configure the following: 

Ethertype to be mirrored with the Ethertype ACL mirror option. See ip access-list eth.

IP flows to be mirrored with the session ACL mirror option. See ip access-list session.

MAC flows to be mirrored with the MAC ACL mirror option. See ip access-list mac.

If you configure both an IP address and a port to receive mirrored packets, the IP address takes precedence.

session-mirror-ipsec

Configures session mirroring of all frames that are processed by IPsec. Frames are sent to IP address specified by the session-mirror-destination option. This option is used only for troubleshooting or debugging.

disabled

session-voip-timeout

Idle session timeout, in seconds, for sessions that are marked as voice sessions. If no voice packet exchange occurs over a voice session for the specified time, the voice session is removed.

16-300

300 seconds

shape-mcast

Enables multicast optimization and provides excellent streaming quality regardless of the amount of VLANs or IP IGMP groups that are used.

disabled

voip-wmm-voip-content-enforcement

If traffic to or from the user is inconsistent with the associated QoS policy for voice, the traffic is reclassified to best effort and data path counters incremented.

This parameter requires the PEFNG license.

disabled

Usage Guidelines

This command configures global firewall options on the controller.

Example

The following command disallows forwarding of non-IP frames between users:

firewall deny-inter-user-bridging

Related Commands

(host) (config) #show firewall

Command History

Version

Modification

ArubaOS 3.0

Command introduced.

ArubaOS 3.2

The wmm-voip-content-enforcement parameter was introduced.

ArubaOS 3.3

The session-mirror-destination parameter was modified.

ArubaOS 3.3.2

The local-valid-users parameter was added.

ArubaOS 3.4

The voip-proxy-arp parameter was renamed to broadcast-filter-arp and it does not require a Voice license.

The prohibit-arp-spoofing parameter was added.

The deny-inter-user-traffic parameter was added.

 

ArubaOS 6.0

The shape-mcast parameter was added.

ArubaOS 6.1

The funtionality of the prohibit-ip-spoofing feature was enhanced. In previous versions of ArubaOS, this feature checked only the source IP and the source MAC address in the frame. Starting with ArubaOS 6.1, this feature also checks the destination IP and the destination MAC address in the frame.

The parameter amsdu was added.

The parameter clear-sessions-role-update was added.

Command Information

Platform

License

Command Mode

Available on all platforms

This command requires the PEFNG license

Config mode on master controllers

firewall cp

firewall cp {deny|permit} proto <IP protocol number> ports <start port number>
<last port number> [bandwidth-contract <name>]

no ...

Description

This command creates whitelist session ACLs. Whitelist ACLs consist of rules that explicitly permit or deny session traffic from being forwarded or not to the controller. This prohibits traffic from being automatically forwarded to the controller if it was not specifically denied in a blacklist.The maximum number of entries allowed in the whitelist is 64.

Syntax

Parameter

Description

Range

Default

deny

Specifies the entry to reject on the session ACL whitelist

disabled

proto

Indicates the protocol.

IP protocol number

Specifies the IP protocol number that is rejected.

1-255

ports

Port that the session traffic is using

 

start port

Specifies the start port

1-65535

 

last port

Specifies the last port

1-65535

 

permit

Specifies an entry that is allowed on the session ACL whitelist

 

proto

Protocol that the session traffic is using

IP protocol number

Specifies the IP protocol number that is allowed

1-255

ports

Indicates the port on which session traffic is running

 

start port

Specifies the starting port, in the port range, on which session traffic is running.

1-65535

 

last port

Specifies the last port, in the port range, on which session traffic is running.

1-65535

 

bandwidth-contract <name>

Specify the name of a bandwidth contract defined via the cp-bandwidth-contract command.

 

Usage Guidelines

This command turns the session ACL from a blacklist to a whitelist. A rule must exist that explicitly permits the session before it is forwarded to the controller and the last rule in the list denies everything else.

Example

The following command creates a whitelist ACL that allows traffic using protocol 6 on ports 5000 through 6000 to be forwarded to the controller.

(host) (config-fw-cp) #firewall cp permit proto 6 ports 5000 6000

The following command creates a a whitelist ACL entry that denies traffic using protocol 2 on port 5000 from being forwarded to the controller:

(host) (config-fw-cp) #firewall cp deny proto 2 ports 5000 5000

 

Related Commands

Command

Description

Mode

show firewall-cp

Show Control Processor (CP) whitelist ACL info.

Enable or Config modes

cp-bandwidth-contract

This command configures a bandwidth contract traffic rate which can then be associated with a whitelist session ACL.

Enable or Config modes

Command History

Introduced in ArubaOS 3.4

Command Information

Platform

License

Command Mode

Available on all platforms

This command requires the PEFNG license

Config mode on master controllers

firewall cp-bandwidth-contract

firewall cp-bandwidth-contract {auth|route|sessmirr|trusted-mcast|trusted-ucast
|untrusted-mcast|untrusted-ucast} <Rate>

Description

This command configures bandwidth contract traffic rate limits to prevent denial of service attacks.

Syntax

Parameter

Description

Range

Default

auth

Specifies the traffic rate limit that is forwarded to the authentication process.

1-200 Mbps

1

route

Specifies the traffic rate limit that needs ARP requests.

1-200 Mbps

1

sessmirr

Specifies the session mirrored traffic forwarded to the controller.

1-200 Mbps

1

trusted-mcast

Specifies the trusted multicast traffic rate limit.

1-200 Mbps

2

trusted-ucast

Specifies the trusted unicast traffic rate limit.

1-200 Mbps

80

untrusted-mcast

Specifies the untrusted multicast traffic rate limit.

1-200 Mbps

2

untrusted-ucast

Specifies the untrusted unicast traffic rate limit.

1-200 Mbps

10

Usage Guidelines

This command configures firewall bandwidth contract options on the controller.

Example

The following command disallows forwarding of non-IP frames between users:

(host) (config) #firewall deny-inter-user-bridging

Related Commands

(host) (config) #show firewall

Command History

Introduced in ArubaOS 3.4

Command Information

Platform

License

Command Mode

Available on all platforms

This command requires the PEFNG license

Config mode on master controllers

Note:this release has not been updated since the release of the pdf