"user" would correspond to any device that is in the user table. If the device was connected to a wired port and that port was untrusted so that wired devices are classified as users, in general the answer is yes.
In the wired switch scenario, if you have that incoming connection classified as "untrusted" so that wired devices appear in the user table, the answer in general is yes. You could add that acl to the incoming user role to accomplish that. There could be some circumstances where that is not the case, so I would work closely with a reseller to plan and design your network so it functions as expected.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Feb 04, 2021 02:55 PM
From: Adam Forsyth
Subject: dhcp snooping
OK, that makes sense, one clarification. The statement "
user any udp 68 deny". What makes traffic get classified to match that statement "user"? That's a wireless user that the controller see's connected to any access point that it's controlling? I assume if the access point in question were a hospitality access point and the user was connected to a wire, it would identify that traffic in the same way?
We haven't done it yet, but I hope sometime to do the tunneled node and dynamic segmentation configuration where the wired switches are connected to the controllers, and the user's traffic is tunneled back to the network through the controller. In that scenario would user also mean any traffic that comes from one of those tunneled node ports on a wired switch?
--
| | Adam Forsyth Director of Network and Systems Information Technology Services |
| |
|
Original Message:
Sent: 2/4/2021 2:46:00 PM
From: cjoseph
Subject: RE: dhcp snooping
You would block that possibility on the wireless network by doing this: https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=38cc82b6-68e4-4613-bb60-563002303533
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Feb 04, 2021 02:41 PM
From: Adam Forsyth
Subject: dhcp snooping
That's what we do.
To expand, though, the thinking that lead to this question was that I was thinking about a problem that used to happen on our wired network before we had implemented our wireless network so that it has good coverage pretty much everywhere a user might want to use it. In those days what would happen is someone would find a hole in wireless coverage and decide they wanted coverage there, and that they could fix it themselves rather than ask us. So, they'd get a home wifi router and figure they could plug it into a wired port and make their own network. There were scenarios where our NAC wouldn't be fooled by this and wouldn't allow it to connect in a way that would work, and there scenarios where it wasn't able to tell, and the configuration could be pulled off. If a user trying to do this inadvertantly plugged the home router in backwards, (connect their lan port to our network) then they'd be trying to serve dhcp to our network and some users would talk to proper dhcp and work and others would talk to the rogue and get addresses that didn't work. It was just a matter of which dhcp packet their computer saw first.
I can't think of a scenario where this would be something that someone would do accidentally on the wireless network, it would seem like it would have to be of malicious intent, so it seems unlikely but if there's a way to mitigate the possibility, it seems worth considering.
--
| | Adam Forsyth Director of Network and Systems Information Technology Services |
| |
|
Original Message:
Sent: 2/4/2021 2:23:00 PM
From: cjoseph
Subject: RE: dhcp snooping
If your clients are not in the same VLAN as the dhcp server, you can solve that by only pointing the ip helper-address to an authorized dhcp server.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Feb 04, 2021 12:26 PM
From: Adam Forsyth
Subject: dhcp snooping
In wired switches dhcp snooping can be set up with the purpose of allowing only the dhcp packets from authorized dhcp servers to serve clients, and if anyone else tried to serve dhcp would not succeed in issuing address or serving dhcp config options to clients making dhcp requests.
Is there a similar option that could be configured in the Aruba Mobility Controller to ensure that wireless clients can only get dhcp from our authorized dhcp servers? We're currently running 8.5.0.11 firmware.
------------------------------
Adam Forsyth
------------------------------