Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
The validuser access control list is applied to all frames before the source IP is added to the user table. All traffic from users with an IP address from a prohibited address range is dropped. It does not have any impact on 802.11 associations.
By default, all IP addresses are permitted, but this ACL (like any other) can be modified from CLI or WebUI:
(Aruba5000) #show ip access-list validuser
ip access-list session validuser
validuser
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 any any any permit Low
One of the common uses of validuser is to prevent hosts with autogenerated IP addresses from filling up the user table
(Aruba5000) (config) #ip access-list session validuser
(Aruba5000) (config-sess-validuser)#network 169.254.0.0 255.255.0.0 any any deny position 1
(Aruba5000) (config-sess-validuser)#show ip access-list validuser
ip access-list session validuser
validuser
---------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 169.254.0.0 255.255.0.0 any any deny Low
2 any any any permit Low
The validuser ACL can also be used to prevent malicious users from impersonating critical IP addresses on the network.
For example, a user can statically assign itself the IP address of the default gateway, essentially bringing down the whole network. Using this access list, we can prevent users from using such IP addresses, for example, the default gateway, switch IP addresses, and server IP addresses.
For example, if 10.1.1.1 is the default gateway, the validuser access list can be changed to prevent users from using this address:
(Aruba5000) (config-sess-validuser)#host 10.1.1.1 any any deny position 2
(Aruba5000) (config-sess-validuser)#show ip access-list validuser
ip access-list session validuser
validuser
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ -------
1 169.254.0.0 255.255.0.0 any any deny Low
2 10.1.1.1 any any deny Low
3 any any any permit Low