Wireless Access

Reply
Occasional Contributor I

IP Spoofing and found Duplicate IP address

Scenerio

-----------

 

There are  vlan 5 which is 172.16.0.0/24 and a SSID guest vlan 192.168.5.0/24 . So when the guest connected to this guest VLAN. It use Iphone tether service and add as a hotspot. Inside vlan 5 there is one static ip assigned server 172.16.0.3. When this iphone enable tether, the connected device get the 172.16.0.3 ip and causes ip spoofing and making the static ip to be not working becuase of duplicate ip address.

 

The wireless lan controller is 4302.

 

How to solve this problem from preventing those who need to bring in their own device and do the tether to share it?

 

Or is it a bug as the firewall has enable checked on ip spoofing.

 

Thanks all

Re: IP Spoofing and found Duplicate IP address

You can use the validuser ACL to control which IPs are added to the usertable for your guest network.  For instance, you would only allow network 192.168.5.0/24.  Any other IPs that show on the guest network would not be entered into the user table, and thus not have any connectivity.

 

Go here and use your browser's search function (cntr + f) to find "validuser".  You'll see an explanation about the ACL and how to configure it.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor I

Re: IP Spoofing and found Duplicate IP address

Hi thecompnerd I read the validuser topic. So can I say that the wireless clients can be prevented to get the wired subnets as all the different ssid falls under 172.16.0.0 and wired falls under 192.168.0.0. For by doing this acl, the illegal ip will not be injected on the wireless clients who got the wired subnet address that causing ip spoofing?

Re: IP Spoofing and found Duplicate IP address

Utilizing the validuser ACL will prevent your wireless guests from being able to use any IP other than 192.168.5.X.  If any other subnet IP is in use, the client will not be placed in the user table, and will be unable to pass traffic.  So setup your validuser ACL so that 192.168.5.0/24 is permitted.  Don't allow anything else.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor I

Re: IP Spoofing and found Duplicate IP address

So if I have several ssid that have different subnet for example in this case

172.16.1.0 for guest ssid
172.16.2.0 for employee ssid
192.168.5.5 for wired network

In this how do I apply the acl that prevent the guest from getting the wired network
Any example. I am not very sure as I have multiple ssid under 172.16.0.0 but only this guest ssid 172.16.1.0 get ip of the wired network which cause the ip spoofing..

Once again thank compnerd

Re: IP Spoofing and found Duplicate IP address

I am confused.  I thought 192.168.5.0/24 was the guest network.?  If your guest and employee SSID are 172.16.1.0/24 and 172.16.2.0/24, but not 192.168.5.0/24, then do the following:

 

ip access-list session validuser

  network 172.16.1.0 255.255.255.0 any any permit

  network 172.16.2.0 255.255.255.0 any any permit

 

That will only allow those IPs ranges on your wifi.  If a client connects with anything other than a 172.16.1.X or 172.16.2.X address, the client will not be able to pass traffic.

 

Alternatively, you block your wired range instead:

 

ip access-list session validuser

 

  network 192.168.5.0 255.255.255.0 any any deny

 

Either way is fine.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor I

Re: IP Spoofing and found Duplicate IP address

Hi thecompnerd,

 

i have already applied this on the ACL tie to the Guest SSID but there are still snatching ip and generate duplicate IP and making the server not able to.

 

Any other remedy

Guru Elite

Re: IP Spoofing and found Duplicate IP address

jmart537,

 

In the AAA profile, try enabling "Enforce-DHCP".:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm

 

Devices that the controller cannot "See" DHCP traffic for, will not be able to enter the user table after enabling this on the AAA profile for that Virtual AP.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: IP Spoofing and found Duplicate IP address

Hi thecompnerd, those ssid vlan get ip with ip helper, so will this be valid or it will likely cause problem? They getting ip from external dhcp server
Occasional Contributor I

Re: IP Spoofing and found Duplicate IP address

Hi cioseoh, I am using external dhcp server. Of using this enforce dhcp will it cause problem
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: