Security, WIDS/WIPS and Aruba ECS

Reply
Frequent Contributor I
Posts: 63
Registered: ‎11-10-2009

PEFNG and blocking rogue DHCP servers

Hello,

We're setting up a new version of our wireless network which moves to ArubaOS 6.x (testing 6.1.2.3) with PEFNG; we're currently running version 5 without PEFNG, so are relatively new to the PEFNG.

What I'm trying to do is block DHCP requests (DISCOVER/REQUEST; UDP 68 to 67) packets going from one client to another and/or the replies (OFFER/ACK; UDP 67 to 68). This is to protect against rogue DHCP servers, as part of a general clampdown on DoS (intentional or otherwise) between clients.

However, I don't seem to be able to do this, using the PEFNG rules...

The standard DHCP policy is 'any any svc-dhcp permit', allowing any DHCP traffic between client and server, where the server could be another host connected to the wireless network.

I can't change this to 'user user udp 67 deny' as only one of the source and destination can be 'user'.

If I try doing something like 'user any udp 67 deny', this is valid, but doesn't work - I assume because the packet is matching an entry in the session table created by the reverse entry 'any any svc-dhcp permit' rule.

I could solve things with an extended ACL, I suspect (although not brilliantly), but you can't use those in the list of ACLs for a role.

The 'aaa profile ... / enforce-dhcp' does do anything useful here. All other clients are still seeing the DHCP conversation) and I assume can reply - would that be the case? It's also not clear what exactly this does -- does it still allow broadcast/0.0.0.0 traffic to be sent/received by other clients?

I've tried 'firewall deny-inter-user-bridging' and 'firewall deny-inter-user-traffic' but these don't seem to actually work and, even if they did, it would block this across the entire system, I assume, and I'd ideally like to control this on a per-VAP/role/whatever basis.

Am I missing something basic? This seems something you'd obviously want to do.

Thanks in advance,

- Bob
Guru Elite
Posts: 20,553
Registered: ‎03-29-2007

Re: PEFNG and blocking rogue DHCP servers


Hello,

We're setting up a new version of our wireless network which moves to ArubaOS 6.x (testing 6.1.2.3) with PEFNG; we're currently running version 5 without PEFNG, so are relatively new to the PEFNG.

What I'm trying to do is block DHCP requests (DISCOVER/REQUEST; UDP 68 to 67) packets going from one client to another and/or the replies (OFFER/ACK; UDP 67 to 68). This is to protect against rogue DHCP servers, as part of a general clampdown on DoS (intentional or otherwise) between clients.

However, I don't seem to be able to do this, using the PEFNG rules...

The standard DHCP policy is 'any any svc-dhcp permit', allowing any DHCP traffic between client and server, where the server could be another host connected to the wireless network.

I can't change this to 'user user udp 67 deny' as only one of the source and destination can be 'user'.

If I try doing something like 'user any udp 67 deny', this is valid, but doesn't work - I assume because the packet is matching an entry in the session table created by the reverse entry 'any any svc-dhcp permit' rule.

I could solve things with an extended ACL, I suspect (although not brilliantly), but you can't use those in the list of ACLs for a role.

The 'aaa profile ... / enforce-dhcp' does do anything useful here. All other clients are still seeing the DHCP conversation) and I assume can reply - would that be the case? It's also not clear what exactly this does -- does it still allow broadcast/0.0.0.0 traffic to be sent/received by other clients?

I've tried 'firewall deny-inter-user-bridging' and 'firewall deny-inter-user-traffic' but these don't seem to actually work and, even if they did, it would block this across the entire system, I assume, and I'd ideally like to control this on a per-VAP/role/whatever basis.

Am I missing something basic? This seems something you'd obviously want to do.

Thanks in advance,

- Bob




"user any udp 68 deny" should do it.

That will stop a client from responding with an "Offer" http://www.linklogger.com/UDP67_68.htm


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: