EasyManua.ls Logo

Alcatel-Lucent AOS-W 6.5.3.x - Page 1091

Alcatel-Lucent AOS-W 6.5.3.x
1160 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
1091| Behavior and Defaults AOS-W 6.5.3.x| User Guide
Predefined Policy Description
ip access-list session control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-papi permit
any any svc-cfgm-tcp permit
any any svc-adp permit
any any svc-tftp permit
any any svc-dhcp permit
any any svc-natt permit
Controls traffic - Apply to untrusted wired ports in order
to allow Alcatel-Lucent APs to boot up.
NOTE: In most cases wired ports should be made
"trusted" when attached to an internal network.
ip access-list session captiveportal
user alias mswitch svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
Enables Captive Portal authentication.
1. Any HTTPS traffic destined for the switch will be
NATed to port 8081, where the captive portal server
will answer.
2. All HTTP traffic to any destination will be NATed to the
switch on port 8080, where an HTTP redirect will be
issued.
3. All HTTPS traffic to any destination will be NATed to
the switch on port 8081, where an HTTP redirect will
be issued.
4. All HTTP proxy traffic will be NATed to the switch on
port 8088.
NOTE: In order for captive portal to work properly, DNS
must also be permitted. This is normally done in the
"logon-control" firewall rule.
ip access-list session cplogout
user alias mswitch svc-https dst-nat 8081
Used to enable the captive portal "logout" window. If the
user attempts to connect to the switch on the standard
HTTPS port (443) the client will be NATed to port 8081,
where the captive portal server will answer. If this rule is
not present, a wireless client may be able to access the
switch's administrative interface.
ip access-list session vpnlogon
any any svc-ike permit
any any svc-esp permit
any any svc-l2tp permit
any any svc-pptp permit
any any svc-gre permit
This policy permits VPN sessions to be established to any
destination. IPsec (IKE, ESP, and L2TP) and PPTP (PPTP
and GRE) are supported.
ip access-list session ap-acl
any any udp 5000
any any udp 5555
any any svc-gre permit
any any svc-syslog permit
any user svc-snmp permit
user any svc-snmp-trap permit
user any svc-ntp permit
This is a policy for internal use and should not be
modified. It permits APs to boot up and communicate with
the switch.

Table of Contents