You are here: CLI_commands > inbound-firewall
Previous TopicNext Topic

inbound-firewall

inbound-firewall

rule <subnet> <smask> <dest> <mask> <match/invert> <protocol> <sport> <eport> {permit|deny|src-nat|dst-nat ip <IP-address> <port>}[<option1....option9>]

no…

Description

This command configures inbound firewall rules based on the source subnet.

Syntax

Command/Parameter

Description

Range

Default

inbound-firewall Opens the inbound firewall configuration mode.

rule

Creates an access rule.

You can create up to 128 access rules. However, it is recommended to delete any existing configuration and apply changes at regular intervals.

<subnet>

Allows you to specify the source subnet IP address

<smask>

Specifies the subnet mask of the source IP address.

<dest>

Allows you to specify the destination IP address.

<mask>

Specifies the subnet mask for the destination IP address.

<match/invert>

l match—Indicates if the rule specific to the destination IP address and subnet mask matches the value specified for protocol.
l invert— Indicates if the rule allows or denies traffic with an exception to the specified destination IP address and subnet mask.

match

invert

 

<protocol>

Configures any of the following:

l Protocol number between 0-255
l any: any protocol
l tcp: Transmission Control Protocol
l udp: User Datagram Protocol
1-255

<sport>

Specifies the starting port number from which the rule applies. 1-65534

<eport>

Specifies the ending port number until which the rule applies 1-65534

dst-nat

Allows the IAP to perform destination NAT on packets.

src-nat

Allows the IAP to perform source NAT on packets. When configured, the source IP changes to the outgoing interface IP address (implied NAT pool) or from the pool configured (manual NAT pool).

ip <IP-addr>

Specifies the destination NAT IP address for the specified packets when dst-nat action is configured.

<port>

Specifies the destination NAT port for the specified packets when dst-nat action is configured.

deny

Creates a rule to reject the specified packets

<option1…option9>

Allows you to specify any of the following options:

l Log —Creates a log entry when this rule is triggered.
l Blacklist — Blacklists the client when this rule is triggered.
l Classify-media — Performs a packet inspection on all non-NAT traffic and marks the critical traffic.
l Disable-scanning — Disables ARM scanning when this rule is triggered.
l DSCP tag — Specifies a DSCP value to prioritize traffic when this rule is triggered.
l 802.1p priority — Sets an 802.1p priority.
no… Removes the configuration

Usage Guidelines

Use this command to configure inbound firewall rules for the inbound traffic coming through the uplink ports of an IAP. The rules defined for the inbound traffic are applied if the destination is not a user connected to the IAP. If the destination already has a user role assigned, the user role overrides the actions or options specified in inbound firewall configuration. However, if a deny rule is defined for the inbound traffic, it is applied irrespective of the destination and user role. Unlike the ACL rules in a WLAN SSID or wired profile, the inbound firewall rules can be configured based on the source subnet.

 

For all subnets, a deny rule is created by default as the last rule. If at least one rule is configured, the deny all rule is applied to the upstream traffic by default.

Management access to the AP is allowed irrespective of the inbound firewall rule. For more information on configuring restricted management access, see restricted-mgmt-access.

The inbound firewall is not applied to traffic coming through GRE tunnel.

Example

The following example configures inbound firewall rules:

(Instant AP)(config)# inbound-firewall

(Instant AP)(inbound-firewall)# rule 192.0.2.1 255.255.255.255 any any match 6 631 631 permit

(Instant AP)(inbound-firewall)# end

(Instant AP)# commit apply

Command History

Version

Description

Aruba Instant 6.4.0.2-4.1 This command is introduced.

Command Information

IAP Platform

Command Mode

All platforms

Configuration mode and inbound firewall configuration sub-mode.