Wireless Access

Occasional Contributor II

enforce dhcp


We are going to use enforce dhcp option on the controller to avoid the static IP address client.

can we use the enforce dhcp option if we use the external dhcp server or it can be used only if we have internal dhcp server?

if it. can be used along with external dhcp server then how controller will keep track of dhcp exchanges ?

thanks in advance
Guru Elite

Re: enforce dhcp

Yes, most use it with an external server. Since the controller is "in-line", it sees the whole DORA.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: enforce dhcp


We are doing this in production with two peered external DHCP servers and it works fine for us.


Note there are other related flags in the global firewall you may want to investigate -- we run

with "Prevent DHCP exhaustion", "Prohibit IP spoofing" and "Prohibit ARP spoofing" turned on. 

Those are all essential ingredients to good first-hop security.


With the latter option enabled, you may also want to consider local-proxy-arp on your client VLAN interfaces, but take care that you understand it if your controller has an IP applied to those VLAN interfaces.  This prevents occasional blacklisting events if there is a device that accidentally sends corrupt ARP replies (iPhone) and also reduces the ARP traffic over the air in general, which is a good thing.


Search Airheads
Showing results for 
Search instead for 
Did you mean: