Exception Filtering

The exception filter provides a set of rules aimed at restricting the type of traffic that is delivered to the controller. By default, your system is shipped with a set of restrictive filter rules that help control access through the interfaces to only those services that are absolutely necessary.

By configuring to allow management on an interface, an additional set of rules is added to the shipped filter rules that provide access to the system's management configuration framework (SSH, HTTPS, SNMP (Simple Network Management Protocol) Agent). Most of this functionality is handled directly behind the scenes by the system, rolling and unrolling canned filters as the system's topology and defined access privileges for an interface change.

Note

Note

An interface for which Allow Management is enabled can be reached by any other interface. By default, Allow Management is disabled and shipped interface filters will only permit the interface to be visible directly from its own subnet.

The visible exception filter definitions, both in physical ports and topology definitions, allow administrators to define a set of rules to be added to the system's dynamically updated exception filter protection rules. Rule evaluation is performed top to bottom, until an exact match is determined. Therefore, these user-defined rules are evaluated before the system‘s own generated rules. As such, these user-defined rules may inadvertently create security lapses in the system's protection mechanism or create a scenario that filters out packets that are required by the system.

Note

Note

Use exception filters only if absolutely necessary. It is recommended that you avoid defining general allow all or deny all rule definitions since those definitions can easily be too liberal or too restrictive to all types of traffic.

The exception rules are evaluated in the context of referring to the specific controller's interface. The destination address for the role rule definition is typically defined as the interface's own IP address. The port number for the filter definition corresponds to the target (destination) port number for the applicable service running on the controller's management plane.

The exception filter on an topology applies only to the packets directed to the controller and can be applied to the destination portion of the packet, or to the source portion of the packet when filtering is enabled. Traffic to a specified IP address and IP port is either allowed or denied. Adding exception filter rules allows network administrators to either tighten or relax the built-in filtering that automatically drops packets not specifically allowed by role rule definitions. The exception filter rules can deny access in the event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied. Typically, Allow Management is enabled.

To define exception filters:

  1. From the top menu, click VNS.
  2. In the left pane, select Topologies.
  3. On the Topologies page, click the Exception Filters tab.

    The Exceptions Filter page displays.

    Click to expand in new window
    Topology Exception Filters
    Graphics/VNS_cpfilterexcept.jpg
  4. Select an existing topology from the right-hand pane to edit an existing topology, or click New to create a new topology.

    The Topologies configuration page displays. The Exception Filters tab is available only if Layer 3 (L3) configuration is enabled.

  5. Click the Exception Filters tab to display the Exception Filters page.
Click to expand in new window

Exception Filters page - Fields and Buttons

Field/Button Description
Rule Identifies the type of role rule. Options are:
  • D - Default rule
  • I - Internal (read-only)
  • T - Local interface rule
  • U - user-defined rule
In Identifies the rule that applies to traffic from the network host or wireless device that is trying to get to a controller. You can change this setting using the drop-down menu. Options include:
  • Destination (dest)
  • Source (src) - available in Advanced Filtering Mode only
  • None
  • Both - available in Advanced Filtering Mode only
Allow Select the Allow checkbox to allow this rule. Otherwise the rule is denied.
IP:Port Identifies the IP address and port to which this role rule applies.
Protocol In the Protocol drop-down list, click the applicable protocol. The default is N/A.
Up, Down Select a role rule and click to either move the rule up or down in the list. The filter rules are executed in the order in which you define them here
Add Click to add a role rule. The fields in the Add Filter area are enabled.
Delete Click to remove this role rule.
Add Predefined Select a predefined role rule. Click Add to add the rule to the rule table, otherwise click Cancel
Save Click to save the configuration.
Advanced Mode Advanced filtering mode provides the ability to create bidirectional filters.

If this controller participates in a mobility zone, before enabling advanced mode be sure that all controllers in the mobility zone are running V7.41 or greater.

Note: After enabling advanced filtering mode, you can no longer use NMS Wireless Manager V4.0 to manage the controller‘s roles and you cannot switch back to basic filter mode unless you return the controller to its default state.
Add Filter section
IP/subnet:port Type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address
Protocol In the Protocol drop-down list, click the applicable protocol. The default is N/A.
In Filter In the drop-down menu, select an option that refers to traffic from the network host that is trying to get to a wireless device. Options include:
  • Destination (dest)
  • Source (src) - available in Advanced Filtering Mode only
  • None
  • Both - available in Advanced Filtering Mode only

By default, user-defined rules are enabled on ingress (In), and are assumed to be Allow rules. To disable the rule in either direction, or to make it a Deny rule, click the new filter, then de-select the relevant checkbox.

OK Click to add the role rule to the filter group. The information displays in the role rule table.
Cancel Click Cancel to discard your changes.
Note

Note

For External Captive Portal, you need to add an external server to a non-authentication filter.