Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
The deny UDP 68 ACL (the default) prevents DHCP replies on a wireless network from wireless users from acting as a DHCP server.
If we deny UDP port 68, then what are we doing when we permit DHCP in the policy right after the deny UDP 68?
ip access-list session control
user any udp 68 deny
any any svc-dhcp permit
The 'any any svc-dhcp permit' allows the udp 68 from a DHCP server to be sent to the client because the first statement is an 'any' instead of a 'user'.
If you had an 'any any udp 68' deny, then the client would never get an IP address because the traffic is blocked bidirectional.