Alcatel-Lucent AOS-W 6.5.3.x - Enabling Network Access; Ports Used for Virtual Intranet Access (VIA); Configuring Ports to Allow Other Traffic Types

To Next Page

To Previous Page

685| External Firewall Configuration AOS-W 6.5.3.x| User Guide

n TFTP (UDP port 69) all campus APs, if there is no local image on the AP or if the image needs to be upgrade

(for example, a new AP), the AP will use TFTP to retrieve the initial image. For remote APs, upgrade the image

only by FTP and not TFTP.

n SYSLOG (UDP port 514)

n PAPI (UDP port 8211)

n GRE (protocol 47)

n Control Plane Security (CPSec) uses UDP port 4500

Communication Between Remote APs and the Switch

Configure the following ports to enable communication between a Remote AP (IPSec) and a switch:

n NAT-T (UDP port 4500)

n TFTP (UDP port 69)

TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to

download the latest image.

Enabling Network Access

This section describes the network ports that need to be configured on the firewall to manage the Alcatel-

Lucent network.

For WebUI access between the network administrator’s computer (running a Web browser) and a switch:

n HTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343).

n SSH (TCP port 22 or TELNET (TCP port 23).

Ports Used for Virtual Intranet Access (VIA)

The following ports are used with Alcatel-Lucent VIA.

n For the reachability/trusted network check use port 443

n For the IPSec connection use port 4500

n To allow ISAKMP use port 500

Configuring Ports to Allow Other Traffic Types

This section describes the network ports that need to be configured on the firewall to allow other types of

traffic in the Alcatel-Lucent network. You should only allow traffic as needed from these ports.

n For logging: SYSLOG (UDP port 514) between the switch and syslog servers.

n For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP (TCP ports 21 and 22) between

the switch and a software distribution server.

n If the switch is a PPTP VPN server, allow PPTP (UDP port 1723) and GRE (protocol 47) to the switch.

n If the switch is an L2TP VPN server, allow NAT-T (UDP port 4500), ISAKMP (UDP port 500) and ESP (protocol

50) to the switch.

n If a third-party network management system is used, allow SNMP (UDP ports 161 and 162) between the

network management system and all switches.

n For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812 and 813, or 1645 and 1646)

between the switch and the RADIUS server.