Security, WIDS/WIPS and Aruba ECS

Reply
Highlighted
Frequent Contributor I

PEFNG and blocking rogue DHCP servers

Hello,

We're setting up a new version of our wireless network which moves to ArubaOS 6.x (testing 6.1.2.3) with PEFNG; we're currently running version 5 without PEFNG, so are relatively new to the PEFNG.

What I'm trying to do is block DHCP requests (DISCOVER/REQUEST; UDP 68 to 67) packets going from one client to another and/or the replies (OFFER/ACK; UDP 67 to 68). This is to protect against rogue DHCP servers, as part of a general clampdown on DoS (intentional or otherwise) between clients.

However, I don't seem to be able to do this, using the PEFNG rules...

The standard DHCP policy is 'any any svc-dhcp permit', allowing any DHCP traffic between client and server, where the server could be another host connected to the wireless network.

I can't change this to 'user user udp 67 deny' as only one of the source and destination can be 'user'.

If I try doing something like 'user any udp 67 deny', this is valid, but doesn't work - I assume because the packet is matching an entry in the session table created by the reverse entry 'any any svc-dhcp permit' rule.

I could solve things with an extended ACL, I suspect (although not brilliantly), but you can't use those in the list of ACLs for a role.

The 'aaa profile ... / enforce-dhcp' does do anything useful here. All other clients are still seeing the DHCP conversation) and I assume can reply - would that be the case? It's also not clear what exactly this does -- does it still allow broadcast/0.0.0.0 traffic to be sent/received by other clients?

I've tried 'firewall deny-inter-user-bridging' and 'firewall deny-inter-user-traffic' but these don't seem to actually work and, even if they did, it would block this across the entire system, I assume, and I'd ideally like to control this on a per-VAP/role/whatever basis.

Am I missing something basic? This seems something you'd obviously want to do.

Thanks in advance,

- Bob
Guru Elite

Re: PEFNG and blocking rogue DHCP servers


Hello,

We're setting up a new version of our wireless network which moves to ArubaOS 6.x (testing 6.1.2.3) with PEFNG; we're currently running version 5 without PEFNG, so are relatively new to the PEFNG.

What I'm trying to do is block DHCP requests (DISCOVER/REQUEST; UDP 68 to 67) packets going from one client to another and/or the replies (OFFER/ACK; UDP 67 to 68). This is to protect against rogue DHCP servers, as part of a general clampdown on DoS (intentional or otherwise) between clients.

However, I don't seem to be able to do this, using the PEFNG rules...

The standard DHCP policy is 'any any svc-dhcp permit', allowing any DHCP traffic between client and server, where the server could be another host connected to the wireless network.

I can't change this to 'user user udp 67 deny' as only one of the source and destination can be 'user'.

If I try doing something like 'user any udp 67 deny', this is valid, but doesn't work - I assume because the packet is matching an entry in the session table created by the reverse entry 'any any svc-dhcp permit' rule.

I could solve things with an extended ACL, I suspect (although not brilliantly), but you can't use those in the list of ACLs for a role.

The 'aaa profile ... / enforce-dhcp' does do anything useful here. All other clients are still seeing the DHCP conversation) and I assume can reply - would that be the case? It's also not clear what exactly this does -- does it still allow broadcast/0.0.0.0 traffic to be sent/received by other clients?

I've tried 'firewall deny-inter-user-bridging' and 'firewall deny-inter-user-traffic' but these don't seem to actually work and, even if they did, it would block this across the entire system, I assume, and I'd ideally like to control this on a per-VAP/role/whatever basis.

Am I missing something basic? This seems something you'd obviously want to do.

Thanks in advance,

- Bob




"user any udp 68 deny" should do it.

That will stop a client from responding with an "Offer" http://www.linklogger.com/UDP67_68.htm

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: