What is the purpose of denying UDP 68 traffic?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.


The deny UDP 68 ACL (the default) prevents DHCP replies on a wireless network from wireless users from acting as a DHCP server.


If we deny UDP port 68, then what are we doing when we permit DHCP in the policy right after the deny UDP 68?



ip access-list session control
user any udp 68 deny
any any svc-dhcp permit


The 'any any svc-dhcp permit' allows the udp 68 from a DHCP server to be sent to the client because the first statement is an 'any' instead of a 'user'.


If you had an 'any any udp 68' deny, then the client would never get an IP address because the traffic is blocked bidirectional.

Version history
Revision #:
1 of 1
Last update:
‎07-01-2014 01:58 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: