Wireless and RF


Article discussion: Using Policy to Control Performance

This is the discussion thread for the article "Using Policy to Control Performance" at https://edge.arubanetworks.com/article/using-policy-control-performance
Jon Green, ACMX, CISSP
Security Guy
Aruba Employee

Re: Article discussion: Using Policy to Control Performance

In addition, how many times have we had to troubleshoot an issue where a rogue DHCP server has caused many hours to tracking and troubleshooting.

The policy below will prevent DHCP server response coming from the wireless side. It will allow DHCP server response to come from the wired side. Certainly, one can tighten this down by identifying the DHCP server instance.

ip access-list session
user any udp 68 deny
any any svc-dhcp permit

Re: Article discussion: Using Policy to Control Performance

Great point....using PEF to stop things that would otherwise harm the reliability of your network. Here's another example....if a wired user bridges his/her interface to the wireless NIC, what ramification could there be? Well, spanning-tree convergence, HSRP/VRRP conflicts, routing issues, a whole host of things.....using PEF, you could essentially disconnect a client's wireless NIC if you see these type of frames coming from them....you know their wired, so why not get them off of the wireless. To do this, using PEF, create a policy that get's applied in the user role that looks for these common "router-based" protocols coming from wireless "clients. Things in this list should include OSPF, EIGRP, RIP, HSRP, VRRP, PIM, etc.....if any hits against this, use the blacklist tag to knock them off the wlan for 60 seconds or so.....once they disconnect from wired, they'll be able to connect once that timer expires. Here is an example policy:

netdestination HSRP

netdestination VRRP

netdestination RIP

netdestination OSPF

netdestination PIM

netdestination EIGRP

ip access-list session Detect_Bridge
any alias HSRP any deny log blacklist
any alias VRRP any deny log blacklist
any alias RIP any deny log blacklist
any alias OSPF any deny log blacklist
any alias PIM any deny log blacklist
any alias EIGRP any deny log blacklist
Guru Elite

Article discussion: Using Policy to Control Performance

How would you drop IPV6 traffic?

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars

Re: Article discussion: Using Policy to Control Performance

Two ways to accomplish this. Since 3.0, you are able to use ethertype ACLs in user roles.....use this to permit IPv4 and ARP, and deny anything else. Put this at the top of the list before your IPv4 policies. An example policy would look like this:

ip access-list eth ipv4-only
permit 0x800
permit 0x806
deny any

The other way would be to use IPv6 session policies in the user role. Create one that denies all, and add that to your user role.
Aruba Employee

Re: Article discussion: Using Policy to Control Performance

or ..

ip access-list eth no-ipv6-acl
deny 0x86dd
permit any
Super Contributor I

Take caution blocking ipv6 via eth ACL

Take caution and care when applying a no-ipv6 Ethernet acl to the controller's port. If you have a lot of APs with multiple SSIDs (i.e., numerous BSSIDs), you run the risk that performing configuration saves (write mem) will cause APs to bootstrap. Configuring the Ethernet ACL will cause every frame to go through firewall processing.

The better course of action is to use the new knob added in

conf t
no ipv6 enable
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
New Contributor

Using PEF to re TOS traffic


Although this thread is aging, I had to chime in. PEF's potential is well beyond a firewall, I totally agree. Just for 1 example, we re-classify / re-tag multicast video traffic inbound to our controllers from our Corporate Webcast Servers. We key off of mutlicast traffic bound to a specific mutlicast address range, and then we set the TOS value to a higher priority than regular video. Since these are All Hands Meetings and QEM meetings they have more of a precedence than regular video, which of course is using our standard WMM AC mappings for video. Works like a champ!!!
Occasional Contributor II

Re: Article discussion: Using Policy to Control Performance

How can you accomplish this? Is WIP currently available?

Contributor I

dropping IPv6 traffic

Does Ryan's suggestion below of "no ipv6 enable" drop all ipv6 traffic in/out of the controller?
Search Airheads
Showing results for 
Search instead for 
Did you mean: