Why should we enable "enforce-DHCP" in aaa profile? what are the potential issues we can run into when enabling "enforce-DHCP" ?

Aruba Employee
Aruba Employee

Environment : This article applies to all Aruba controllers running Aruba OS 3.0 and above.


1. We can enable enforce-dhcp under aaa-profile:


rtaImage (6).png


2. After we configure this, Aruba controller will start snooping DHCP transactions. we see the following:

a. User enters user table.
b. User enters user table.
c.  Datapath route-cache table, we see the user with flag "H"


rtaImage (7).png


3. Lets give the client a static IP address( and connect again. We see that the user is present in the station-table but not in the user-table:


rtaImage (8).png


4. We no longer see the the user in datapath route-cache. There is no entry for


rtaImage (9).png


5. Also we see the following counter increase every 10 second (if there is continuous traffic from the user):


rtaImage (10).png


6. Issues with enforce-DHCP:

a. We shoudn't use enforce-dhcp when we have IP mobility enabled. With IP mobility, the client roams to another controller but keeps his IP address and never does the DHCP discover. Thus new controller which has enforce-DHCP enabled will not allow it in user table and the client will not be able to network resources.

b. We shouldn't enable enforce-DHCP when the client can roam to an AP which terminates to a different controller in same master-local controller. If for some reason, the client decides to keep the old IP address, new controller will not put this user in user table as there was no DHCP discover.

Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 04:57 AM
Updated by:
Search Airheads
Showing results for 
Search instead for 
Did you mean: