Wireless Access

Reply
Frequent Contributor I
Posts: 64
Registered: ‎07-16-2014

Client source IP addressing filtering vs enforce-dhcp

Latelly, our infosec crew have noticed a lot of wireless clients sending traffic out with the wrong source IP address.  A lot of them are using T-Mobile and Sprint owned blocks, so our best guess is that it's smart phones sending traffic sourced from their 4G IP address, but using the wifi interface (this is a problem we've run into on the Linux IP stack many times over the years...)

 

My question, then, is how are people handling this kind of traffic?  On the wired side, we handle it with DHCP snooping and dynamic ARP inspection.  The Aruba controllers have the enforce-dhcp option, but it's not clear to me from what I've read that it'll actually restrict the client to only using the DHCP assigned IP address.  If not, I'm assuming I'll have tofall back to setting inbound clients based on the client subnets.

 

thanks!

Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: Client source IP addressing filtering vs enforce-dhcp

Utilizing the validuser ACL is an Aruba best practice.

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-validuser-ACL-and-its-uses/ta-p/178584


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 21,029
Registered: ‎03-29-2007

Re: Client source IP addressing filtering vs enforce-dhcp

Enforce DHCP in the AAA profile will only allow clients in the user table for which it has witnessed a DHCP transaction. The WAN IP address source address traffic would not be allowed.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 64
Registered: ‎07-16-2014

Re: Client source IP addressing filtering vs enforce-dhcp

Thanks, guys!  enforce-dhcp won't be an option for us until this summer, as we're running two sets of controllers on the same SSID to play around with the 8.0 code.  In the meantime, it sounds like the valid-user ACL is the way to go.

Search Airheads
Showing results for 
Search instead for 
Did you mean: