Solved: DNA Spaces Connector - Firewall ports to open

Chris Kaiser · ‎06-27-2022

Hello

Im about to deploy the DNA Spaces Connector. but there is this big problem, as i dont know which FW Ports i need to to open.

there is a configuration guide which mentions which connections are made (Cisco DNA Spaces: Connector Configuration Guide - Open Ports (Wireless) [Cisco DNA Spaces] - Cisco) but this is not detailed, as i do not think my dns server needs 53/UDP connecting to my Spaces Connector. or im pretty sure there is no i ncomming connection from DNA Spaces to my Spaces connector.

perhaps there is someone who can give me mor information which connections from who to who

balaji.bandi · ‎06-27-2022

Correct some do not need bi-directional -

Like 443 connecting to cisco cloud

DNS 53 and NTP to sysn Clock.

DNAspace to WLC need to be bidirectional.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎06-27-2022

As mentioned in the document that is correct -From DNA space to WLC - you need to below ports to be open :

TCP/8004, TCP/630, TCP/16113, UDP/161, UDP/2003, TCP/22

DNA space also required DNS Server / NTP / Radius for your infra Services, where the your DNS/NTP Radius in the network.

From DNA space to Internet (most people use proxy to communication( if you looking directly then you need 443 port open required for Cisco Cloud)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chris Kaiser · ‎06-27-2022

Thank You

i think i have not detailed out my question.

i need specific rulesets. i dont think DNS is unidirectional.

i need to know who establish ther session for fastlocate and so on.

in the graphic the lines are all unidirectional. and this cannot be correct.

balaji.bandi · ‎06-27-2022

Correct some do not need bi-directional -

Like 443 connecting to cisco cloud

DNS 53 and NTP to sysn Clock.

DNAspace to WLC need to be bidirectional.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chris Kaiser · ‎06-28-2022

Thank You very much!

This is the hint i needed!

balaji.bandi · ‎06-28-2022

Cisco need to improve this product better ...most of the config was command line still.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Chris Kaiser · ‎06-28-2022

Yes absolutely. Also what cisco should improve is the distribution of their documentation on cisco dna spaces!

All documents to config guide, APIs are hard to find cause of different sources.

I think it is a nice product, and it absolutely will replace our old CMX appliance. As the lincences come with AIR-DNA-x.

pritamCTC · ‎04-11-2023

DNS Spaces - I am defining here as Cisco Spaces Connector - VM Based (Inside of the network)

While communicating VM Based Spaces Connector with internal devices like WLC, APs or Cisco Catalyst, we can create the access list on the Core switch or create Policies on the firewall as per source & destination IP along with Source port & destination port.

As per the attached you can see the source & destination by observing the arrow direction sign.

Arrow sign is the Destination IP & Without Arrow is the source. This is my understanding.

https://www.cisco.com/c/en/us/td/docs/wireless/spaces/connector/2-x/config/b_connector/m_open-ports.html

See the section for Wireless.

OpenRoaming Firewall Rules

Still verifying few other major points, will edit in-case found anything extra.