Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE 17.18.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: August 8, 2025

Chapter: IP Theft

IP Theft
IP theft
Lower the idle timeout to prevent false IP theft
IP preference levels for IP theft detection
Configure IP theft (GUI)
Configure IP theft (CLI)
Configure the IP theft exclusion timer (CLI)
Add static entries for wired hosts (CLI)
Verify IP theft configuration

IP Theft

IP theft

An IP Theft feature is a wireless controller security mechanism that

detects duplicate IP address usage among connected clients
assigns precedence to clients based on a defined preference order, and
blocks or excludes clients attempting to use IP addresses already assigned to others.

The IP Theft feature is enabled by default on the controller. If a wireless client tries to use an IP address assigned to a wired client, the controller marks it as a theft attempt.

Lower the idle timeout to prevent false IP theft

Lower the idle timeout for devices that may switch WLANs while out of range to prevent incorrect IP theft events.

When a device moves between WLANs while out of range of APs, it may retain the same IPv6 link-local address but present a different MAC address. Because the controller cannot immediately detect the move, it may interpret the reuse of the same IP address as an IP theft event.

To avoid this, lower the idle timeout value so the controller can promptly remove stale client entries from the original WLAN. This helps ensure that address reuse by legitimate roaming devices is not mistakenly treated as a theft attempt.

IP preference levels for IP theft detection

The controller uses IP preference levels to resolve conflicts when multiple clients claim the same IP address. These levels determine which client has priority based on the method used to learn the IP address. Preference order for IPv4 clients:

DHCPv4
ARP
Data packets

Preference order for IPv6 clients:

DHCPv6
NDP (Neighbor Discovery Protocol)
Data packets

Additional rules:

Static wired clients always receive higher preference than dynamically assigned clients.
Wired clients are prioritized over wireless clients when IP conflicts occur.

Configure IP theft (GUI)

Prevent unauthorized use or reuse of IP addresses by configuring IP theft protections.

Procedure

Step 1	Choose Configuration > Security > Wireless Protection Policies > Client Exclusion Policies.
Step 2	Check the IP Theft or IP Reuse check box.
Step 3	Click Apply.

Configure IP theft (CLI)

Enable IP theft detection and configure client exclusion policies using CLI.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the client exclusion policy.

Example:

Device(config)# wireless wps client-exclusion ip-theft

Configure the IP theft exclusion timer (CLI)

Set the exclusion timer to temporarily block IP addresses suspected of theft on a WLAN.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure a WLAN policy profile and enter the wireless policy configuration mode.

Example:

Device(config)# wireless profile policy profile-policy default-policy-profile

Step 3

Specify the timeout, in seconds.

Example:

Device(config-wireless-policy)# exclusionlist timeout time-in-seconds 5

The valid range is from zero-2147483647. Enter zero for no timeout.

Add static entries for wired hosts (CLI)

Configure static wired bindings for devices on a VLAN to control IP address and interface assignment.

Note

If you configure wired bindings and SVI IP addresses on the device, the device uses those instead of DHCP.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the IPv4 or IPv6 static entry.

Example:

Device(config)# device-tracking binding vlan vlan-id 20 ipv4-address 20.20.20.5 interface gigabitEthernet ge-intf-num 1 hardware-or-mac-address 0000.1111.2222

Example:

Device(config)# device-tracking binding vlan vlan-id 20 ipv6-address 2200:20:20::6 interface gigabitEthernet ge-intf-num 1 hardware-or-mac-address 0000.444.3333

Use the first option to configure an IPv4 static entry or the second option to create an IPv6 static entry.

Verify IP theft configuration

Use the command to check if the IP theft feature is enabled or not:

Device# show wireless wps summary

Client Exclusion Policy
  Excessive 802.11-association failures   : Enabled
  Excessive 802.11-authentication failures: Enabled
  Excessive 802.1x-authentication         : Enabled
  IP-theft                                : Enabled
  Excessive Web authentication failure    : Enabled
  Cids Shun failure                       : Enabled
  Misconfiguration failure                : Enabled
  Failed Qos Policy                       : Enabled
  Failed Epm                              : Enabled

Use the commands to view additional details about the IP theft feature:

Device# show wireless client summary 

Number of Local Clients: 1

MAC Address    AP Name                WLAN State              Protocol Method     Role
-------------------------------------------------------------------------------------------
000b.bbb1.0001 SimAP-1                2    Run                11a      None       Local             

Number of Excluded Clients: 1

MAC Address    AP Name                WLAN State              Protocol Method     
-------------------------------------------------------------------------------------------
10da.4320.cce9 charlie2               2    Excluded           11ac     None

Device# show wireless device-tracking database ip 

IP                              VLAN  STATE       DISCOVERY   MAC
  -------------------------------------------------------------------------
  20.20.20.2                     20    Reachable   Local      001e.14cc.cbff 
  20.20.20.6                     20    Reachable   IPv4 DHCP  000b.bbb1.0001

Device# show wireless exclusionlist 

Excluded Clients

MAC Address       Description          Exclusion Reason               Time Remaining  
-----------------------------------------------------------------------------------------
10da.4320.cce9                         IP address theft                    59

Note

Client exclusion timer deletes the entry from exclusion list with a granularity of 10 seconds. The entry is checked to retain or delete after every 10 seconds. There are chances that the running timer value for excluded clients might display negative values upto 10 seconds.

Note

When you enable client exclusion, the system adds the client to the exclusion list. This feature does not prevent the client from being deleted.

Device# show wireless exclusionlist client mac 12da.4820.cce9 detail 

Client State : Excluded
Client MAC Address : 12da.4820.cce9
Client IPv4 Address: 20.20.20.6
Client IPv6 Address: N/A
Client Username: N/A
Exclusion Reason : IP address theft
Authentication Method : None
Protocol: 802.11ac
AP MAC Address : 58ac.780e.08f0
AP Name: charlie2
AP slot : 1
Wireless LAN Id : 2
Wireless LAN Name: mhe-ewlc
VLAN Id : 20

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)