Ruckus Guest Access
How come when connecting to the Wireless Guest SSID clients are getting a DHCP responce when the following rules are set
Order Description Type Destination Address Application Protocol Destination Port
1 Deny 192.168.0.1/19 Any Any Any
2 Deny 10.0.0.0/8 Any Any Any
3 Deny 172.16.0.0/12 Any Any Any
4 Deny 192.168.0.0/16 Any Any Any
Create New Advanced Options
My DHCP server has an address of 192.168.2.1 so how come its being allowed to communicate with it when everything is set to Deny?
Your subnetting is wrong?
DHCP requests are not sent via IP, so rules preventing communication by IP can't be followed.
Bascially, DHCP commands are sent in a different network layer - layer 2, and those rules are layer 3 rules.
That'd be my theory anyway!
DHCP is application layer, above IP. It uses 255.255.255.255 as a broadcast packet and as the client doesn't yet have an IP it cannot be blocked by a rule. Why would you want to stop people from getting IPs? It would be a lonely guest network!!
Well i was just confused as DHCP is an option to Allow, so since all was set to block i was just woundering why it allows it through if there is an option for it.
Is this on a CISCO device? I haven't done much in the way of ACLs for HP ones. On a CISCO device the DHCP DNS etc options are there for ease of reading of port numbers. If you wanted to disable DHCP completely on a subnet you would have to use the 0.0.0.0/0 DHCP option but it would be pretty useless for the most part.
What I would expect from your rule there is that once your clients have IP addresses that they would no longer be able to contact the DHCP server. Try this by pinging once the clients are up and running. That would prove that your rule is working as such.
Its an odd set up though, normally you would want to allow only access to your DHCP servers from a guest network and none of the others (if it was a super secure environment :) ) This would be so that when clients renegotiate their lease (half way through their lease time) they can do so. Otherwise when the lease time is up you will get clients being disconnected for a short period while they renegotiate a lease from scratch from your server.
Hope that makes some sense!!