Controller Based WLANs

What is the purpose of denying UDP 68 traffic?

by on ‎07-01-2014 01:58 PM

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


The deny UDP 68 ACL (the default) prevents DHCP replies on a wireless network from wireless users from acting as a DHCP server.


If we deny UDP port 68, then what are we doing when we permit DHCP in the policy right after the deny UDP 68?



ip access-list session control
user any udp 68 deny
any any svc-dhcp permit


The 'any any svc-dhcp permit' allows the udp 68 from a DHCP server to be sent to the client because the first statement is an 'any' instead of a 'user'.


If you had an 'any any udp 68' deny, then the client would never get an IP address because the traffic is blocked bidirectional.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.