Wireless Access

Reply
Occasional Contributor I

Secure DHCP communication

Hi Airheads,

 

 I would like to ask some help here in the following. We have several VLANs for the wifi clients and there are a gateway in the background network in each VLAN (so not the controller the dgw in the VLANs). There are dhcp helpers defined in the default gateway of the VLAN.

 

 We tried to make communication secure that we enable dhcp traffic only the dedicated dhcp helpers insteed of this: any any svc-dhcp permit.

The situation, that as soon as we changed the default DHCP ACL (any any svc-dhcp permit) anything else (any network 10.0.0.0 255.0.0.0 svc-dhcp permit), the DHCP is stopped working.

 

 What should be the issue here? Is it possible to filter dhcp traffic with ACL on the controller side at all?

 

Many thanks for the answers.

 

BR,

Gaben

Guru Elite

Re: Secure DHCP communication

On the face of it, you cannot, because the client request to the DHCP server is a broadcast, not a unicast.  The client is unaware of the DHCP server that would be servicing its request.

 

What are you trying to prevent?  There is an ACL that prevents clients from being dhcp servers:

 

user any  udp 68  deny 


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: Secure DHCP communication

Dear cjoseph,

 

 thanks for the answer this was my thought too.

 

 I know the dhcp permit and deny ACLs. What we tried to do that enable dhcp only from some dedicated dhcp szervers not any. So something like this:

any host 10.1.0.254 svc-dhcp permit

any any svc-dhcp deny

So the client can communicate with the 10.1.0.254 for dhcp but nothing else.

Thanks a lot!

Best Regards,

Gabor

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: