ArubaOS 8.6.0.0 Help Center
You are here: Home > Roles and Policies > Policies

Firewall Policies

A firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy identifies specific characteristics about a data packet passing through the Aruba Managed Device and takes some action based on that identification. In an Aruba Managed Device, that action can be a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network.-type action such as permitting or denying the packet, an administrative action such as logging the packet, or a QoSQuality of Service. It refers to the capability of a network to provide better service and performance to a specific network traffic over various technologies. action such as setting 802.1p bits or placing the packet into a priority queue. You can apply firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies to user roles to give differential treatment to different users on the same network, or to physical ports to apply the same policy to all traffic through the port.

FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies and ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. have three main functional differences. FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies differ from ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. in the following ways:

FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies are stateful, meaning that they recognize flows in a network and keep track of the state of sessions. For example, if a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy permits telnet traffic from a client, the policy also recognizes that inbound traffic associated with that session should be allowed.

FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies are bi-directional, meaning that they keep track of data connections traveling into or out of the network. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. are normally applied to either traffic inbound to an interface or outbound from an interface.

FirewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies are dynamic, meaning that address information in the policy rules can change as the policies are applied to users. For example, the alias user in a policy automatically applies to the IP address assigned to a particular user. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. typically require static IP addresses in the rule.

 

You can apply IPv4 and IPv6 firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies to the same user role. See IPv6 Support for information about configuring IPv6 firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies.

Workflow for Configuring Firewall Policies

You can configure one or more firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies. This section describes how to configure the rules that constitute a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy. In order to configure the correct firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies, ensure that you first understand ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., how to work with ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., and what are role-based ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Working With ACLs

ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. are a common way of restricting certain types of traffic on a physical port. ArubaOS provides the following types of ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.:

Standard ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. permit or deny traffic based on the source IP address of the packet. Standard ACLSAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. use a bitwise mask to specify the portion of the source IP address to be matched.

Extended ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. permit or deny traffic based on source or destination IP address, source or destination port number, or IP protocol. Extended ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be named or numbered, with valid numbers in the range 100-199 and 2000-2699.

MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. are used to filter traffic on a specific source MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address or range of MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses. Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 700-799 and 1200-1299.

Ethertype ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. are used to filter based on the Ethertype field in the frame header. Optionally, you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. Ethertype ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be either named or numbered, with valid numbers in the range of 200-299.These ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can be used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk.

Service ACLs provide a generic way to restrict how protocols and services from specific hosts and subnets to the Mobility Master are used. Rules with this ACL are applied to all traffic on the Mobility Master regardless of the ingress port or VLAN.

Routing ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. forward packets to a device defined by an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map, a next-hop list, a tunnel or a tunnel group.

 

Routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. is the only supported ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. type that can be configured on a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. Interface. Other ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. types are not supported.

ArubaOS provides both standard and extended ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. for compatibility with router software from popular vendors, however firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policies provide equivalent and greater function than standard and extended ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. and should be used instead.

You can apply MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. and Ethertype ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to a user role, however these ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. only apply to non-IP traffic from the user.

Role-Based ACL

Role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. is a feature available on Arubacontrollers to apply policies to traffic matching a particular user role. Earlier this feature was supported only when the users were present in the same controller. Starting from ArubaOS 8.6.0.0, this feature is extended to support multi-controller deployments. Role- to- role ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can now be assigned to two users terminating on different controllers. This feature can be configured by creating a policy domain group profile and adding the IP address of the controllers.

Role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. supports mix of controller models with the exception of and x86 Virtual Mobility controllers. To apply role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. for 9004 and x86 Virtual Mobility Controllers models, all the controllers have to be either 9004 or x86 VMCs respectively. To apply role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to x86 Virtual Mobility Controllers, all the controllers have to be managed by the same Mobility Master.

Role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. works across multiple controllers only if the role is configured as a destination role in at least one ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. cannot be applied to the following:

L2 multicast traffic

L3 multicast/broadcast traffic

ClearPass Policy Manager downloadable user role

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands create role-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. in a multi-controller deployment:

(host) [md] policy-domain group-profile <name>

(host) [md] (Policy Domain Profile "name") controller <ip> <macaddress>

 

Only one policy domain group profile is supported in this release. The command should be executed in the /md node and the policy domain group profile supports IPv4 and IPv6 addresses but a combination of both is not supported.

The tasks for configuring a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy are:

1. Configure the rules that constitute in creating a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy.

See “Creating a Firewall Policy” on page 1.

2. Create a network alias. A network service alias defines a TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. , UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received., or IP protocol and a list or range of ports supported by that service.

See “Creating a Network Service Alias” on page 1

3. Create an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. whitelist. The ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list consists of rules that explicitly permit or deny session traffic from being forwarded to or blocked from the managed device.

See “Creating an ACL White List” on page 1

4. Create a local net destination override. This feature provides a scalable solution to create a local net destination override.

See “Override Local Network Destination” on page 1

Creating a Firewall Policy

This section describes how to configure the rules that constitute a firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy. A firewallFirewall is a network security system used for preventing unauthorized access to or from a private network. policy can then be applied to a user role (until the policy is applied to a user role, it does not have any effect).Table 1 describes required and optional parameters for a rule.

The following procedure describes how to create a web-only policy that allows web (HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.

2. Click + to create a new policy.

3. Enter the policy name in the Policy name field.

4. Select the policy type from the Policy type drop-down list. You can select Ethertype, Extended, MAC, Route, Session, or Standard.

5. Click Submit.

6. Select the policy created and click + in the Policy <policy name> table.

7. Select Access Control option in the Rule Type field.

8. Click OK.

9. To add a rule that allows HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. traffic.

a. Under Service/app, select Service from the drop-down list.

b. Select svc-http from the Servicealias drop-down list.

10. Click Submit.

 

Rules can be re-ordered by using the up and down buttons provided for each rule.

11. Click Submit to apply this configuration. The policy is not created until the configuration is applied.

12. Click Pending Changes.

13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a web-only policy that allows web (HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection.) access:

(host) [md] (config) #ip access-list session web-only

Table 1: Firewall Policy Rule Parameters

Parameter

Description

IP version

Specifies whether the policy applies to IPv4 or IPv6 traffic.

Source (required)

Source of the traffic, which can be one of the following:

any: Acts as a wildcard and applies to any source address.

user: Refers to traffic from the wireless client.

host: Refers to traffic from a specific host. When this option is chosen, you must configure the IP address of the host.

network: Refers to a traffic that has a source IP from a subnetSubnet is the logical division of an IP network. of IP addresses. When this option is chosen, you must configure the IP address and network mask of the subnetSubnet is the logical division of an IP network..

alias: Refers to using an alias for a host or network. You configure the alias by navigating to the Configuration > Roles & Policies > Policies tab. Select a policy created and click + to create a Rule. Select the Access Control option in the Rule Type. Select Alias from the Destination drop-down list and the alias name from the Destination alias drop-down list. Select a Source from the traffic Source drop-down list.

Destination (required)

Destination of the traffic, which can be configured in the same manner as Source.

Service/app (required)

Type of traffic, which can be one of the following:

any: This option specifies that this rule applies to any type of traffic.

application: For session and route policies on a 7000 Series managed device, you can create a rule that applies to a specific application type. Click the Application drop-down list and select an application type.

web category/ reputation: For session policies on a 7000 Series managed device, you can create a rule that applies to a specific web category or application type. For more information on web category classification, see Traffic Analysis

tcp: Using this option, you configure a range of TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port(s) to match for the rule to be applied.

udp: Using this option, you configure a range of UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port(s) to match for the rule to be applied.

service: Using this option, you use one of the pre-defined services (common protocols such as HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands., and others) as the protocol to match for the rule to be applied. You can also specify a network service that you configure by navigating to the Configuration > Roles & Policies > Policies tab. Select a policy created and click + to create a Rule. Select the Access Control option in the Rule Type. Select the service type from the Service/app drop-down list.

(other than TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. or UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.) by configuring the IP protocol value.

Action (required)

The action that you want the managed device to perform on a packet that matches the specified criteria. This can be one of the following:

permit: Permits traffic matching this rule.

drop: Drops packets matching this rule without any notification.

reject: Drops the packet and sends an ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. notification to the traffic source.

src-nat: Performs NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. on packets matching the rule. When this option is selected, you need to select a NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool. Source IP changes to the outgoing interface IP address (implied NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool) or from the pool configured (manual NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool). This action functions in tunnel or decrypt-tunnel forwarding mode.

dst-nat: This option redirects traffic to the configured IP address and destination port. An example of this option is to redirect all HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. packets to the captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. port on the Aruba managed device as used in the pre-defined policy called captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. This action functions in tunnel or decrypt-tunnel forwarding mode. User should configure the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the managed device.

dual-nat: This option performs both source and destination NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. on packets matching the rule. Forward packets from source network to destination; re-mark them with destination IP of the target network. This action functions in tunnel or decrypt-tunnel forwarding mode. User should configure the NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool in the managed device.

redirect to tunnel: This option redirects traffic into a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel. This option is used primarily to redirect all guest traffic into a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel to a DMZ router or switch.

redirect to esi: This option redirects traffic to the specified ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. group. You also specify the direction of traffic to be redirected: forward, reverse, or both directions. Select a NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. Pool from the NAT Pool drop-down list to add a NATNetwork Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-POOL for ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. policy.

route: Specify the next hop to which packets are routed, which can be one of the following:

Forward Regularly: Packets are forwarded to their next destination without any changes.

Forward to ipsec-map: Packets are forwarded through an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel defined by the specified IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. map.

Forward to next-hop-list: packets are forwarded to the highest priority active device on the selected next hop list. For more information on next-hop lists, see Uplink Routing using Next-hop Lists.

Forward to tunnel: Packets are forwarded through the tunnel with the specified tunnel ID. For more information on GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels, see GRE Tunnels.

Forward to tunnel group: Packets are forwarded through the active tunnel in a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel group. For more information on tunnel groups, see GRE Tunnel Groups.

TOS (optional)

Value of TOS bits to be marked in the IP header of a packet matching this rule when it leaves the managed device.

Time Range

You can create an absolute time range with a single fixed start and end date and time, or create a periodic (recurring) time range that starts and ends at a specified time on a weekday, weekend, or selected day.

Log (optional)

Logs a match to this rule. This is recommended when a rule indicates a security breach, such as a data packet on a policy that is meant only to be used for voice calls.

Mirror (optional)

Mirrors session packets to datapath or remote destination.

Queue (optional)

The queue in which a packet matching this rule should be placed.
Select High for higher priority data, such as voice, and Low for lower priority traffic.

Time Range (optional)

Time range for which this rule is applicable.

To configure time range, navigate to Configuration > Roles & Policies > Roles tab. Select a role and click + in the Global Rules table. Select a time range from the Time range drop-down list.

Pause ARM Scanning (optional)

Pause ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. scanning while traffic is present. Note that you must enable VoIPVoice over IP. VoIP allows transmission of voice and multimedia content over an IP network. Aware Scanning in the ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. profile for this feature to work.

Black List (optional)

Automatically blacklists a client that is the source or destination of traffic matching this rule. This option is recommended for rules that indicate a security breach where the blacklisting option can be used to prevent access to clients that are attempting to breach the security.

ACL White List (optional)

A rule must explicitly permit a traffic session before it is forwarded to the managed device. The last rule in the white list denies everything else.
Configure white list ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. on the Configuration > Services > Firewall > ACL White List accordion.

802.1p Priority (optional)

When this parameter is enabled, the value of 802.1p priority bits are marked in the frame of a packet matching this rule when it leaves the managed device. 0 is the lowest priority (background traffic) and 7 is the highest (network control).

Creating a Network Service Alias

When you create a network service alias, you can use that alias when specifying the network service for multiple session ACLsAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

The following procedure describes how to create a network service alias:

1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Policies tab.

2. Click + to create a new policy.

3. Enter the policy name in the Policy name field.

4. Select a the policy type from the Policy type drop-down list. You can select Ethertype, Extended,MAC, Route, Session, or Standard.

5. Click Submit.

6. Select the policy created and click + in the Policy <policy name> table.

7. Select Access Control option in the Rule Type field.

8. Click OK.

9. Select Service from the Service/app drop-down list.

10. Click + in the Service alias drop-down list to add a new service.

a. Enter a Service name .

b. In the Protocol drop-down, select either TCP or UDP, or select protocol and enter the IP protocol number and select an Application level gateway (alg) of the protocol for which you want to create an alias.

c. In the Port type drop-down, specify whether you want to define the port by a contiguous range of ports, or by a list of non-contiguous port numbers.

If you select range, enter the starting and ending port numbers in the Starting port and End port fields.

If you select list, enter a comma-separated list of port numbers in the Port list field.

d. To limit the service alias to a specific application, select one the of the following service types from the Application Level Gateway (alg) drop-down list:

ftp: Service is FTPFile Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network.

tftp: Service is TFTPTrivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host.

dns: Service is DNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.

dhcp: Service is DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. 

sip: Service is SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls.

sips: Service is Secure SIPSession Initiation Protocol. SIP is used for signaling and controlling multimedia communication session such as voice and video calls.

svp: Service is SVPSpectraLink Voice Priority. SVP is an open, straightforward QoS approach that has been adopted by most leading vendors of WLAN APs. SVP favors isochronous voice packets over asynchronous data packets when contending for the wireless medium and when transmitting packets onto the wired LAN.

sccp: Service is SCCP

rtsp: Service is RTSPReal Time Streaming Protocol. RTSP is a network control protocol designed for use in entertainment and communications systems to control streaming media servers.

vocera: Service is VOCERA

noe: Service is Alcatel NOENew Office Environment. NOE is a proprietary VoIP protocol designed by Alcatel-Lucent Enterprise.

h323: Service is H323

jabber: Service is Jabber

facetime: Service is Facetime

11. Click Submit to add a new service.

12. Click Submit.

13. Click Pending Changes.

14. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command defines a service alias:

(host) [md] (config) #netservice <name> <protocol>|tcp|udp {list <port>,<port>}|{<port> [<port>]}[ALG <service>]

Creating an ACL White List

The white list protects the managed device during traffic session processing by prohibiting traffic from being automatically forwarded to the managed device if it was not specifically denied in a blacklist. The maximum number of entries allowed in the ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list is 256. To create an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list, you must first define a white list bandwidth contract, and then assign it to an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port..

Creating a Bandwidth Contract

The following procedure describes how to create a bandwidth contract:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > Firewall tab.

2. Expand the White List BW Contracts accordion.

3. Click + to create a new contract.

4. In the White list contract name field, enter the name of a bandwidth contract.

5. In the Bandwidth rate field, enter a bandwidth rate value.

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates a bandwidth contract:

(host) [mynode] (config) #cp-bandwidth-contract

Configuring the ACL White List

The following procedure describes how to configure an ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. white list:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > Firewall tab.

2. Expand the Acl White List accordion.

3. Click + to create a new protocol.

4. Select permit or deny from the Action drop-down list.

Permit allows session traffic to be forwarded to the managed device and deny blocks session traffic.

5. Select Ipv4 or Ipv6 filter from the IP version drop-down list.

6. Select one of the following from the Source drop-down list:

For a specific IPv4 or IPv6 filter, select addr_mask. Enter the IP address and mask of the IPv4 or IPv6 filter in the corresponding fields.

For a IPv4 or IPv6 host, select any.

7. Enter the IP address and SubnetSubnet is the logical division of an IP network. Mask.

8. In the IP protocol number(1-255) or IP protocol field, enter the number for a protocol and select the protocol from the drop-down list used by session traffic.

9. In the Starting ports field, enter a starting port. This is the first port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535.

10. In the End port field, enter an ending port. This is the last port, in the port range, on which permitted or denied session traffic is running. Port range: 1–65535.

11. (Optional) Select the name of the bandwidth contract to which the session traffic should be applied, from the White list bandwidth contract drop-down list.

12. For further information on creating bandwidth contracts, see Global Bandwidth Contract Configuration

13. Click Submit. The ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. displays on the white list section.

14. To delete an entry, click Delete next to the entry you want to delete.

15. Click Submit.

16. Click Pending Changes.

17. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command creates ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. white lists:

(host) [mynode] (config)firewall cp

Override Local Network Destination

To implement this feature, a new sub-command, host vlan – offset under the netdestination configuration command is introduced. An example and description are as follows:

netdestination store

host vlan 10 offset 5

host vlan 10 offset 8

With the above, select the subnetSubnet is the logical division of an IP network. (for example, 10.1.1.0/24) assigned to vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. 10 for that store and calculate offsets 5 (10.1.1.5) and 8 (10.1.1.8) from it.

The following procedure describes how to configure an override local network destination:

1. In the Managed Network node hierarchy, navigate to the Configuration > Roles & Policies > Roles tab.

2. Select a role and click + under Rules of this Role only to create a rule.

3. Click one of the options in the Rule Type filed to select a rule and click OK.

4. Select Alias from the Destination drop-down list.

5. Select + from the Destination alias drop-down list.

6. Click + in the Rule table.

7. Select Override from the Rule type drop-down list.

8. Select a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. offset number which is the NetmaskNetmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. or range, from the Vlan drop-down list.

9. Click OK.

10. Click Submit in the Add New Destination window.

11. Click Submit.

12. Click Pending Changes.

13. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the local override netdestination:

(host) [md] (config) #netdestination store

(host) [md] (config-submode) #?

description Brief description about this destination (up to 128 characters in quote)

host Configure a single IPv4 host

invert Use all destinations EXCEPT this destination

name Configure a single host name or domain, Max 63 characters

network Configure a IPv4 subnet

no Delete Command

range Configure a range of IPv4 addresses

(host) [md] (config-submode) #host?

vlan IPv4 Address based on VLAN

A.B.C.D IPv4 Address of host

(host) [md] (config-submode) #host vlan ?

<1-4094> VLAN ID

(host) [md] (config-submode) #host vlan 55 ?

offset Offset in the VLAN subnet

(host) [md] (config-submode) #host vlan 55 offset ?

<1-254> Offset number in the VLAN subnet

(host) [md] (config-submode) #host vlan 55 offset 36

Execute the following command to show the local override netdestination:

(host) [md] #show netdestination store

Name: store

Position Type IP addr Mask-Len/Range

-------- ---- ------- --------------

1 override vlan 55 offset 36

 

One netdestination definition can have a maximum of 256 netdestination entries. On the whole, there can be a maximum of 1024 netdestination entries on the Controller or Managed Device.

How to use the local-override netdestination alias in the managed device:

(host) [md] (config) #ip access-list session store-override

(host) [md] (config-sess-store-override) #any alias store any permit

(host) [md] (config-sess-store-override) #alias store any any deny

(host) [md] (config-sess-store-override) #!

(host) [md] #show ip interface brief

Interface IP Address / IP Netmask Admin Protocol

vlan 1 172.72.10.254 / 255.255.255.0 up up

vlan 55 55.55.55.1 / 255.255.255.0 up up

loopback unassigned / unassigned up up

 

(host) [md] #show acl acl-table | include dummy-acl

75 session 620 2 3 dummy-acl 0

 

(host) [md] #show acl ace-table acl 75

 

620: any netdest-id: 34 0 0-0 0-0 f1000080001:permit alias-dst hits-table-index 24578

621: netdest-id: 34 any 0 0-0 0-0 f800080001:permit alias-src hits-table-index 24579

622: any any 0 0-0 0-0 f180000:deny

RTP Traffic without Changing DSCP value

The RTPReal-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic can be passed without changing the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value set by the end user device. This allows the RTPReal-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic to pass through the managed devices.

To pass the RTPReal-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic without changing the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value, execute the following command:

(host) [md] (config) #firewall

(host) [md] (config-submode)#voip-qos-trusted

To verify if the RTPReal-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic is passed without changing the DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value, execute the following command:

(host) [md] #show firewall | include Trust

 

Trust packet QoS Enabled

To verify the client DSCPDifferentiated Services Code Point. DSCP is a 6-bit packet header value used for traffic classification and priority assignment. value (for example, 48) for RTPReal-Time Transport Protocol. RTP is a network protocol used for delivering audio and video over IP networks. traffic, execute the following command:

(host) #show datapath session dpi | include V

 

C - client, M - mirror, V - VOIP

r - Route Nexthop, h - High Value

 

Source IP or MAC Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge

10.15.123.147 10.15.16.19 17 33262 2060 0/0 6 48 0 local 2876

10.15.16.19 10.15.123.147 17 2060 33262 0/0 6 48 0 local 2876

 

Packets Bytes AclVer Int-Flag Sess-Flag2 PktsDpi UplnkVlan AppID

1 40 8009 81095 0 3 none alg-rtp

0 0 0 1094 0 2 none alg-rtp

 

AceIdx Flags DpiTIdx CPU ID

(3404) 1142/1138 FHPTCVBO dc 7

(3404) 0/1138 FHPTCVBO dc 6

/*]]>*/