AOS-W 6.5.3.x | User Guide External Firewall Configuration | 684
Chapter 28
External Firewall Configuration
In many deployment scenarios, an external firewall is situated between Alcatel-Lucent devices. This chapter
describes the network ports that need to be configured on the external firewall to allow proper operation of
the Alcatel-Lucent network. You can also use this information to configure session ACLs to apply to physical
ports on the switch for enhanced security. However, this chapter does not describe requirements for allowing
specific types of user traffic on the network.
A switch uses both its loopback address and VLAN addresses for communications with other network elements. If the
firewall uses host-specific ACLs, those ACLs must specify all IP addresses used on the switch.
Topics in this chapter include:
n Understanding Firewall Port Configuration Among Alcatel-Lucent Devices on page 684
n Enabling Network Access on page 685
n Ports Used for Virtual Intranet Access (VIA) on page 685
n Configuring Ports to Allow Other Traffic Types on page 685
Understanding Firewall Port Configuration Among Alcatel-Lucent
Devices
This section describes the network ports that need to be configured on the firewall to allow proper operation
of the network.
Communication Between Switches
Configure the following ports to enable communication between any two switches:
n IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local switch is
encapsulated in IPSec.
n IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled
n GRE (protocol 47) if tunneling guest traffic over GRE to DMZ switch
n IKE (UDP 500)
n ESP (protocol 50)
n NAT-T (UDP 4500)
Communication Between APs and the Switch
APs use Trivial File Transfer Protocol (TFTP) during their initial boot to grab their software image and
configuration from the switch. After the initial boot, the APs use FTP to retrieve their software images and
configurations from the switch. In many deployment scenarios, an external firewall is situated between various
Alcatel-Lucent devices.
Configure the following ports to enable communication between an AP and the switch:
n PAPI (UDP port 8211). If the AP uses DNS to discover the LMS switch, the AP first attempts to connect to
the master switch. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
n PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the
master switch.
n FTP (TCP port 21)
To Next Page
Loading...