Wired Intelligent Edge (Campus Switching and Routing)

How does Tarpit shielding work? How is this parameter configured on the controller ?

Aruba Employee
Aruba Employee

Introduction :

The Tarpit Shielding feature is a type of wireless containment. Detected devices that are classified as rogues are contained by forcing client association to a fake channel or BSSID. This method of tarpitting is more efficient than rogue containment via repeated de-authorization requests. 

The tarpitting process:

1.The AM detects that the client has connected to a rogue device.

2.The AM sends de-authenticate (de-auth) messages to the client and the rogue, in each case impersonating to be the other device.

3.The client attempts to reconnect to the rogue device.

4.The AM answers the client request and completes the association handshake.

5.The client attempts to communicate to send data, and the AM ignores the client.





Feature Notes:


Understanding Tarpit Shielding Licensing

In the ids general-profile default wireless-containment command, the ‘tarpit-non-valid-sta’ and ‘tarpit-all-sta’ options are available only with a RFprotect license. The ‘deauth-only’ and ‘none’ options are available with the Base OS license.



Environment : This article applies to Aruba Mobility Controllers running ArubaOS version


Configuration Steps :

Configuring Tarpit Shielding


Tarpit shielding is configured on an AP using one of two methods:


Disable all clients— In this method, any client that attempts to associate with an AP marked for containment is sent spoofed frames.


Disable non-valid clients— In this method, only non-authorized clients that attempt to associate with an AP is sent to the tarpit.

The choices for disabling Tarpit Shielding on an AP are:



Deauth-wireless-containment with tarpit-shielding (excluding-valid-clients)

Deauth-wireless-containment with tarpit-shielding


Enabling Tarpit Shielding


Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands refer to the Command Line Reference Guide).


ids general-profile default


wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]



Verification :


Use the following show commands to view updated Tarpit Shielding status and the spoofed frames generated for an AP:

show ap monitor stats …
show ap monitor containment-info


Troubleshooting :


A station is determined to be in the Tarpit when we see it sending data frames in the fake channel. With some clients, the station remains in tarpit state until the user manually disables and re-enables the wireless interface.


Version history
Revision #:
1 of 1
Last update:
‎07-18-2014 05:45 AM
Updated by:
Labels (1)

Thank you, keep up with this.  Was a good information that i needed to know now.




Search Airheads
Showing results for 
Search instead for 
Did you mean: