"So are you saying you want to block users that choose static ip addresses in a range that you do not want to give out in DHCP?"
Yes. I am trying to block users (or Malwares/viruses) using IPs (such as the first few or last few). So, I am excluding these IPs from DHCP pool, however wanted to ensure that if it was statically configured the network connection would still be unavailable.
"In that case, you can use reservations, or whatever you use to block off addresses in DHCP, but also enable "Enforce DHCP" in the AAA profile so that users cannot get on, unless they received their ip addresses using DHCP. Would that work?"
That would have been great to use but it seems that "Enforce DHCP" is only available from Aruba OS 6.0.x and up and currently the controllers (that my client is using) are all on 5.0.x and lower. :smileyindifferent:
I have decided to go with a policy-based restriction. This is what I have done.
I have created following firewall policies under Security>User Roles>Restriction (where Restriction is the user role)
- allow DHCP so that the clients can get an IP from the DHCP
- deny all traffic for clients using the specific IPs (ie: x.x.x.1-5 and x.x.x.252-255)
- allow all other traffic as required.
Well, this seems to have worked for me and hope this helps others in the future if they are faced with similar issues in the future (although I would imagine most would just upgrade the OS).
Thanks cjoseph for your help.