User's Manual

ManualsBrandsSiemens Communications ManualsElectronicsHiPath Wireless AP, Altitude 450, Altitude 451

191

192

193

194

195

196

197

198

199

200

hwc_vnsconfiguration.fm

Virtual Network configuration

Configuring filtering rules for a VNS

A31003-W1050-U100-2-7619,

March 2008

HiPath Wireless Controller, Access Points and Convergence Software V5 R1 , C20/C2400 User Guide 195

ID that has its own filtering rules. If no filter ID matches are found, then the default

filter is applied. VNS Policy is also applicable for Captive Portal and MAC-based

authorization.

6.9.1 Filtering rules for an exception filter

The exception filter provides a set of rules aimed at restricting the type of traffic

that is delivered to the controller. By default, your system is shipped with a set of

restrictive filtering rules that help control access through the interfaces to only

absolutely necessary services.

By configuring to allow management on an interface, an additional set of rules is

added to the shipped filter rules that provide access to the system's management

configuration framework (SSH, HTTPS, SNMPAgent). Most of this functionality is

handled directly behind the scenes by the system, rolling and un-rolling canned

filters as the system's topology and defined access privileges for an interface

change.

Note: An interface for which Allow Management is enabled, can be reached by

any other interface. By default, Allow Management is disabled and shipped

interface filters will only permit the interface to be visible directly from it's own

subnet.

The visible exception filters definitions, both in physical ports and VNS definitions,

allow administrators to define a set of rules to be prepended to the system's

dynamically updated exception filter protection rules. Rule evaluation is

performed top to bottom, until an exact match is determined. Therefor, these

user-defined rules are evaluated before the system’s own generated rules. As

such, these user-defined rules may inadvertently create security lapses in the

system's protection mechanism or create a scenario that filters out packets that

are required by the system.

Note: Use exception filters only if absolutely necessary. It is recommended to

avoid defining general allow all or deny all rule definitions since those definitions

can easily be too liberal or too restrictive to all types of traffic.

The exception rules are evaluated in the context of referring to the specific

controller's interface. The destination address for the filter rule definition is

typically defined as the interface's own IP address. The port number for the filter

definition corresponds to the target (destination) port number for the applicable

service running on the controller's management plane.

The exception filter on an VNS applies only to the destination portion of the

packet. Traffic to a specified IP address and IP port is either allowed or denied.

Adding exception filtering rules allows network administrators to either tighten or