ArubaOS 8.6.0.0 Help Center
You are here: Home > External Firewall Configuration > Communication Between Aruba Devices

Understanding Firewall Port Configuration in Aruba Devices

This section describes the network ports that need to be configured on the firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. to allow proper operation of the network.

Communication Between Managed Devices

Configure the following ports to enable communication between any two managed devices:

IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500) for communication between Mobility Master and a managed device.

IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. ports 500 and 4500) and ESP (protocol 50). PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. between Mobility Master and a managed device is encapsulated in IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session..

IP-IP (protocol 94) and UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 443 if Layer-3 mobility is enabled

GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. (protocol 47) if tunneling guest traffic over GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. to DMZ managed device

IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 500)

ESP (protocol 50)

NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500)

Communication Between APs and the Managed Device

APs use Trivial File Transfer Protocol (TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. ) during their initial boot to grab their software image and configuration from the managed device. After the initial boot, the APs use FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. to retrieve their software images and configurations from the managed device. In many deployment scenarios, an external firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. is situated between various Aruba devices.

Configure the following ports to enable communication between an AP and the managed device:

PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211). If the AP uses DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. to discover the LMSLocal Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. managed device, the AP first attempts to connect to the managed device. (Also allow DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 53) traffic from the AP to the DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server.)

PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211). All APs running as Air Monitors (AMs) require a permanent PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. connection to managed device.

FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. (TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 21)

TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 69). All campus APsCampus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.; If there is no local image on the AP or if the image needs to be upgraded (for example, a new AP), the AP will use TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. to retrieve the initial image. For remote APsRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., upgrade the image only by FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. and not TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. .

SYSLOG (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 514)

PAPIProcess Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the master controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211)

GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. (protocol 47)

Control Plane Security (CPsecControl Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each master controller. ) uses UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500

Communication Between Remote APs and the Managed Device

Configure the following ports to enable communication between a remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. (IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.) and a managed device:

NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500)

TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. (UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 69)

 

TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. is not needed for normal operation. If the remote APRemote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. loses its local image for any reason, it will use TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. to download the latest image.

/*]]>*/