The exception filter provides a set of rules aimed at restricting the type of traffic that is delivered to the controller. By default, your system is shipped with a set of restrictive filter rules that help control access through the interfaces to only those services that are absolutely necessary.
By configuring to allow management on an interface, an additional set of rules is added to the shipped filter rules that provide access to the system's management configuration framework (SSH, HTTPS, SNMP Agent). Most of this functionality is handled directly behind the scenes by the system, rolling and unrolling canned filters as the system's topology and defined access privileges for an interface change.
Note
An interface for which Allow Management is enabled can be reached by any other interface. By default, Allow Management is disabled and shipped interface filters will only permit the interface to be visible directly from its own subnet.The visible exception filter definitions, both in physical ports and topology definitions, allow administrators to define a set of rules to be added to the system's dynamically updated exception filter protection rules. Rule evaluation is performed top to bottom, until an exact match is determined. Therefore, these user-defined rules are evaluated before the system‘s own generated rules. As such, these user-defined rules may inadvertently create security lapses in the system's protection mechanism or create a scenario that filters out packets that are required by the system.
Note
Use exception filters only if absolutely necessary. It is recommended that you avoid defining general allow all or deny all rule definitions since those definitions can easily be too liberal or too restrictive to all types of traffic.The exception rules are evaluated in the context of referring to the specific controller's interface. The destination address for the role rule definition is typically defined as the interface's own IP address. The port number for the filter definition corresponds to the target (destination) port number for the applicable service running on the controller's management plane.
The exception filter on an topology applies only to the packets directed to the controller and can be applied to the destination portion of the packet, or to the source portion of the packet when filtering is enabled. Traffic to a specified IP address and IP port is either allowed or denied. Adding exception filter rules allows network administrators to either tighten or relax the built-in filtering that automatically drops packets not specifically allowed by role rule definitions. The exception filter rules can deny access in the event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied. Typically, Allow Management is enabled.
The Exceptions Filter page displays.
The Topologies configuration page displays. The Exception Filters tab is available only if Layer 3 (L3) configuration is enabled.
Field/Button | Description |
---|---|
Rule | Identifies the type of role rule. Options are:
|
In | Identifies the rule that applies to traffic from the
network host or wireless device that is trying to get to a controller. You
can change this setting using the drop-down menu. Options include:
|
Allow | Select the Allow checkbox to allow this rule. Otherwise the rule is denied. |
IP:Port | Identifies the IP address and port to which this role rule applies. |
Protocol | In the Protocol drop-down list, click the applicable protocol. The default is N/A. |
Up, Down | Select a role rule and click to either move the rule up or down in the list. The filter rules are executed in the order in which you define them here |
Add | Click to add a role rule. The fields in the Add Filter area are enabled. |
Delete | Click to remove this role rule. |
Add Predefined | Select a predefined role rule. Click Add to add the rule to the rule table, otherwise click Cancel |
Save | Click to save the configuration. |
Advanced Mode | Advanced filtering mode provides the ability to
create bidirectional filters. If this controller participates in a mobility zone, before enabling advanced mode be sure that all controllers in the mobility zone are running V7.41 or greater. Note: After enabling advanced filtering mode,
you can no longer use NMS
Wireless Manager V4.0 to manage the controller‘s roles and you
cannot switch back to basic filter mode unless you return the controller
to its default state.
|
Add Filter section | |
IP/subnet:port | Type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address |
Protocol | In the Protocol drop-down list, click the applicable protocol. The default is N/A. |
In Filter | In the drop-down menu, select an option that refers
to traffic from the network host that is trying to get to a wireless device.
Options include:
By default, user-defined rules are enabled on ingress (In), and are assumed to be Allow rules. To disable the rule in either direction, or to make it a Deny rule, click the new filter, then de-select the relevant checkbox. |
OK | Click to add the role rule to the filter group. The information displays in the role rule table. |
Cancel | Click Cancel to discard your changes. |
Note
For External Captive Portal, you need to add an external server to a non-authentication filter.