Wireless Access

Reply
Frequent Contributor I

Client source IP addressing filtering vs enforce-dhcp

Latelly, our infosec crew have noticed a lot of wireless clients sending traffic out with the wrong source IP address.  A lot of them are using T-Mobile and Sprint owned blocks, so our best guess is that it's smart phones sending traffic sourced from their 4G IP address, but using the wifi interface (this is a problem we've run into on the Linux IP stack many times over the years...)

 

My question, then, is how are people handling this kind of traffic?  On the wired side, we handle it with DHCP snooping and dynamic ARP inspection.  The Aruba controllers have the enforce-dhcp option, but it's not clear to me from what I've read that it'll actually restrict the client to only using the DHCP assigned IP address.  If not, I'm assuming I'll have tofall back to setting inbound clients based on the client subnets.

 

thanks!

Guru Elite

Re: Client source IP addressing filtering vs enforce-dhcp

Utilizing the validuser ACL is an Aruba best practice.

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-validuser-ACL-and-its-uses/ta-p/178584


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: Client source IP addressing filtering vs enforce-dhcp

Enforce DHCP in the AAA profile will only allow clients in the user table for which it has witnessed a DHCP transaction. The WAN IP address source address traffic would not be allowed.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Frequent Contributor I

Re: Client source IP addressing filtering vs enforce-dhcp

Thanks, guys!  enforce-dhcp won't be an option for us until this summer, as we're running two sets of controllers on the same SSID to play around with the 8.0 code.  In the meantime, it sounds like the valid-user ACL is the way to go.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: