Wireless Access

How does enforce-dhcp know that you roamed in from another controller? Users on campus roam across controller boundaries all the time. It's unavoidable.

In other words, if the controllers don't maintain state how does controller-B know the incoming device has an active session on controller-A? How does it know not to invoke enforce-dhcp? Surely the device won't know to request a lease simply because it roamed to an AP on another controller (device won't even know that happened).

 

Thanks,

Mike

The short answer is, it does not, and it doesn't work between controllers.

Thanks Colin, but could you please clarify? Are you saying that enforce-dhcp feature on controller-B will, or will not, check for DORA when a device with an active session (and DHCP lease) on controller-A roams to controller-B? Is the device subject to enforc-dhcp rules every time it roams across a controller, or does controller-B somehow know to not check for DORA packets?

 

We have enforce-dhcp enabled and use external DHCP servers. We do L2 mobility. We have several controllers and a large ever-mobile campus. I'm seeing a fair amount of "drop pkt as ip not assigned through dhcp" in our logs. I believe this is due to idle timeout and DHCP lease values being out of sync but it occurred to me that this could also be due to devices with active sessions/leases roaming across controllers. I don't see any mechanism that would inform controller-B that a device roaming onto it was already subject to enforce-dhcp on controller-A. And devices surely wouldn't know to ask for a lease every time they cross a conroller boundary.

 

I'm wondering if, after I adjust idle timeout and lease times, I'll still see devices being denied entry into the user table simply because they roamed to another controller.

 

(running 6.4.4.15 on multiple 7220s)

 

Mike

 

 

A limitation of Enforce-DHCP is that if the controller the user roams to does not observe the DHCP exchange, it will not let it into the user table.

Ok thanks. With respect to disabling enforce-dhcp does anyone the reccomended best-practice settings for folloiwng parameters:

 

1. idle timeout relative to DHCP leasse time

Should they match exactly? Be very close? Which one should be lower?

(Current: idle timeout = 14 minutes and lease time = 30 minutes)

 

2. IP Spoofing and ARP Spoofing

Should both be enabled in the firewall?

(Current: both are enabled)

 

Thanks,

Mike

Mike,

This doesn't answer your best-practices question - but are you using the default "validuser" acl - or have you made modifications to restrict it to your Wireless Client IP Ranges (or exclude servers/default gateways)? If you haven't, that will be one thing you'll want to manually update to prevent the following happening if you're disabling enforce-dhcp - https://www.youtube.com/watch?v=HMIQwok5r1o

What is validuser ACL and its uses? - http://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-validuser-ACL-and-its-uses/ta-p/178584

This also isn't restricted to clients even manually setting their device with a static IP - but could also be caused by IP Address leaking - 

http://community.arubanetworks.com/t5/ArubaOS-and-Mobility-Controllers/Weirdness-with-mobile-handsets/td-p/14463

 

How user gets into the user-table of the controller - http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-the-user-gets-into-the-user-table-of-the-controller/ta-p/278519

Thanks. I believe I have the validuser ACL configured to not let undesirable networks - as well as specific hosts (gateways, special servers, etc.) - into the user table. However, it bears taking a closer look before we disable enforce-dhcp.

 

That doesn't stop users from configuring their devices for static within the permitted subnets but it sure reduces mischeivous activity.

 

Hi Colin, Does ArubaOS 8 have any mechanism for sharing the status of a dhcp-exchange for a client between controllers? That was a question we inquired about at Atmosphere this year during the AOS 8 session and it was believed it "may".


#AirheadsMobile