Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.16.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: December 11, 2024

Chapter: IP Theft

IP Theft
IP theft
Configure IP theft (GUI)
Configure IP theft (CLI)
Configure the IP theft exclusion timer (CLI)
Add static entries for wired hosts (CLI)
Verify IP theft configuration

IP Theft

IP theft

An IP Theft feature is a wireless controller security mechanism that

detects duplicate IP address usage among connected clients
assigns precedence to clients based on a defined preference order, and
blocks or excludes clients attempting to use IP addresses already assigned to others.

The IP Theft feature is enabled by default on the controller. The controller also uses the preference level of clients, including new and existing ones in the database, to report IP theft. The preference level refers to the source of learning, such as Dynamic Host Configuration Protocol (DHCP), Address Resolution Protocol (ARP), or analysis of the IP data packet to determine the client’s IP address. Wired clients always receive a higher preference level. If a wireless client tries to use an IP address assigned to a wired client, the controller marks it as a theft attempt.

Note

Some devices might use distinct MAC addresses but share the same IPv6 link-local address on different WLANs. If devices switch WLANs when they are not in range of the APs, an IP theft event is triggered. Lower the idle timeout for devices to prevent this situation. When devices are out of range of the APs, the idle timeout takes effect. The controller removes outdated entries in the initial WLAN.

The order of preference for IPv4 clients are:

DHCPv4
ARP
Data packets

The order of preference for IPv6 clients are:

DHCPv6
NDP
Data packets

Note

Static wired clients receive a higher preference level than DHCP-assigned clients.

Configure IP theft (GUI)

Prevent unauthorized use or reuse of IP addresses by configuring IP theft protections.

Procedure

Step 1	Choose Configuration > Security > Wireless Protection Policies > Client Exclusion Policies.
Step 2	Check the IP Theft or IP Reuse check box.
Step 3	Click Apply.

Configure IP theft (CLI)

Enable IP theft detection and configure client exclusion policies using CLI.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the client exclusion policy.

Example:

Device(config)# wireless wps client-exclusion ip-theft

Configure the IP theft exclusion timer (CLI)

Set the exclusion timer to temporarily block IP addresses suspected of theft on a WLAN.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a WLAN policy profile and enter the wireless policy configuration mode.

Example:

Device(config)# wireless profile policy profile-policy default-policy-profile

Step 3

Specify the timeout, in seconds.

Example:

Device(config-wireless-policy)# exclusionlist timeout time-in-seconds 5

The valid range is from zero-2147483647. Enter zero for no timeout.

Add static entries for wired hosts (CLI)

Configure static wired bindings for devices on a VLAN to control IP address and interface assignment.

Note

If you configure wired bindings and SVI IP addresses on the device, the device uses those instead of DHCP.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the IPv4 or IPv6 static entry.

Example:

Device(config)# device-tracking binding vlan vlan-id 20 ipv4-address 20.20.20.5 interface gigabitEthernet ge-intf-num 1 hardware-or-mac-address 0000.1111.2222

Example:

Device(config)# device-tracking binding vlan vlan-id 20 ipv6-address 2200:20:20::6 interface gigabitEthernet ge-intf-num 1 hardware-or-mac-address 0000.444.3333

Use the first option to configure an IPv4 static entry or the second option to create an IPv6 static entry.

Verify IP theft configuration

Use the command to check if the IP theft feature is enabled or not:

Device# show wireless wps summary

Client Exclusion Policy
  Excessive 802.11-association failures   : Enabled
  Excessive 802.11-authentication failures: Enabled
  Excessive 802.1x-authentication         : Enabled
  IP-theft                                : Enabled
  Excessive Web authentication failure    : Enabled
  Cids Shun failure                       : Enabled
  Misconfiguration failure                : Enabled
  Failed Qos Policy                       : Enabled
  Failed Epm                              : Enabled

Use the commands to view additional details about the IP theft feature:

Device# show wireless client summary 

Number of Local Clients: 1

MAC Address    AP Name                WLAN State              Protocol Method     Role
-------------------------------------------------------------------------------------------
000b.bbb1.0001 SimAP-1                2    Run                11a      None       Local             

Number of Excluded Clients: 1

MAC Address    AP Name                WLAN State              Protocol Method     
-------------------------------------------------------------------------------------------
10da.4320.cce9 charlie2               2    Excluded           11ac     None

Device# show wireless device-tracking database ip 

IP                              VLAN  STATE       DISCOVERY   MAC
  -------------------------------------------------------------------------
  20.20.20.2                     20    Reachable   Local      001e.14cc.cbff 
  20.20.20.6                     20    Reachable   IPv4 DHCP  000b.bbb1.0001

Device# show wireless exclusionlist 

Excluded Clients

MAC Address       Description          Exclusion Reason               Time Remaining  
-----------------------------------------------------------------------------------------
10da.4320.cce9                         IP address theft                    59

Note

Client exclusion timer deletes the entry from exclusion list with a granularity of 10 seconds. The entry is checked to retain or delete after every 10 seconds. There are chances that the running timer value for excluded clients might display negative values upto 10 seconds.

Note

When you enable client exclusion, the system adds the client to the exclusion list. This feature does not prevent the client from being deleted.

Device# show wireless exclusionlist client mac 12da.4820.cce9 detail 

Client State : Excluded
Client MAC Address : 12da.4820.cce9
Client IPv4 Address: 20.20.20.6
Client IPv6 Address: N/A
Client Username: N/A
Exclusion Reason : IP address theft
Authentication Method : None
Protocol: 802.11ac
AP MAC Address : 58ac.780e.08f0
AP Name: charlie2
AP slot : 1
Wireless LAN Id : 2
Wireless LAN Name: mhe-ewlc
VLAN Id : 20

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)