10-27-2016 10:21 AM
We're recently updated our "validuser" acl to prevent invalid/unauthorized IP Addresses from entering the user-table - which appears to be working now thanks to TAC. I've modifed the "any any any permit" to "any any any deny" with Logging enabled which is now logging the source IP Address of the packet that would have previously entered the user-table. Most of them were mobile addresses that leaked over to our network, but some of them appear to be 10.X.X.X addresses, web site addresses, etc.
1. Is there a way to log/correlate the originating MAC Address for future cases?
2. I attempted to use the "mirror" option on the "any any any deny" ACL, "session-mirror-destination" command appears to have been deprecated - https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-capture-unencrypted-client-data-at-the-controller-with/ta-p/179062