Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Understanding Firewall Port Configuration in Aruba Devices
This section describes the network ports that need to be configured on the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. to allow proper operation of the network.
Communication Between Managed Devices
Configure the following ports to enable communication between any two managed devices:
- IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500) for communication between Mobility Conductor and a managed device.
- IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. ports 500 and 4500) and ESP (protocol 50). PAPI Process Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the conductor controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. between Mobility Conductor and a managed device is encapsulated in IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session..
- IP-IP (protocol 94) and UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 443 if Layer-3 mobility is enabled
- GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. (protocol 47) if tunneling guest traffic over GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. to DMZ managed device
- IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 500)
- ESP (protocol 50)
- NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500)
Communication Between APs and the Managed Device
APs use Trivial File Transfer Protocol (TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. ) during their initial boot to grab their software image and configuration from the managed device. After the initial boot, the APs use FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. to retrieve their software images and configurations from the managed device. In many deployment scenarios, an external firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. is situated between various Aruba devices.
Configure the following ports to enable communication between an AP and the managed device:
- PAPI Process Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the conductor controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211). If the AP uses DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. to discover the LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. managed device, the AP first attempts to connect to the managed device. (Also allow DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 53) traffic from the AP to the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server.)
- PAPI Process Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the conductor controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI Process Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the conductor controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. connection to managed device.
- FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. (TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. port 21)
- TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 69). All campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.; If there is no local image on the AP or if the image needs to be upgraded (for example, a new AP), the AP will use TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. to retrieve the initial image. For remote APs Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link., upgrade the image only by FTP File Transfer Protocol. A standard network protocol used for transferring files between a client and server on a computer network. and not TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. .
- SYSLOG (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 514)
- PAPI Process Application Programming Interface. PAPI controls channels for ARM and Wireless Intrusion Detection System (WIDS) communication to the conductor controller. A separate PAPI control channel connects to the local controller where the SSID tunnels terminate. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 8211)
- GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. (protocol 47)
- Control Plane Security (CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller.) uses UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500
Communication Between Remote APs and the Managed Device
Configure the following ports to enable communication between a Remote AP (IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.) and a managed device:
- NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device.-T (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 4500)
- TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. (UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 69)
TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. is not needed for normal operation. If the remote AP Remote APs extend corporate network to the users working from home or at temporary work sites. Remote APs are deplyed at branch office sites and are connected to the central network on a WAN link. loses its local image for any reason, it will use TFTP Trivial File Transfer Protocol. The TFTP is a software utility for transferring files from or to a remote host. to download the latest image.
In an IPv6 deployment, you must configure UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 500 on the firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. to establish an IPv6 IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. connection for Remote APs.
