Login
- Table of Contents
-
- 02-WLAN Command References
- 00-Preface
- 01-AP management commands
- 02-Radio management commands
- 03-WLAN access commands
- 04-WLAN security commands
- 05-WLAN authentication commands
- 06-WIPS commands
- 07-WLAN QoS commands
- 08-WLAN roaming commands
- 09-WLAN load balancing commands
- 10-WLAN radio resource measurement commands
- 11-Channel scanning commands
- 12-Band navigation commands
- 13-WLAN high availability commands
- 14-Wireless location commands
- 15-AC hierarchy commands
- 16-IoT AP commands
- 17-WLAN probe commands
- 18-Spectrum management commands
- 19-WLAN optimization commands
- 20-WLAN RRM commands
- 21-WLAN IP snooping commands
- 22-WLAN forwarding commands
- 23-WLAN radio load balancing commands
- 24-802.1X client commands
- 25-IP source guard commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-WLAN IP snooping commands | 87.64 KB |
client ip-snooping http-learning enable
client ip-snooping ip-recover enable
client ipv4-snooping arp-learning enable
client ipv4-snooping dhcp-learning enable
client ipv4-snooping dhcp-learning timeout
client ipv6-snooping dhcpv6-learning enable
client ipv6-snooping nd-learning enable
client ipv6-snooping { dhcpv6-learning | nd-learning }
client ipv6-snooping snmp-nd-report enable
display wlan statistics client-ip-conflict
wlan client ip-conflict-detection enable
WLAN IP snooping commands
client ip-snooping http-learning enable
Use client ip-snooping http-learning enable to enable snooping HTTP and HTTPS requests redirected to the portal server.
Use undo client ip-snooping http-learning enable to disable snooping HTTP and HTTPS requests redirected to the portal server.
Syntax
client ip-snooping http-learning enable
undo client ip-snooping http-learning enable
Default
Snooping HTTP and HTTPS requests is disabled.
Service template view
Predefined user roles
network-admin
Usage guidelines
An AC can use this method to learn IP addresses of clients performing portal authentication. For more information about portal authentication, see Security Configuration Guide for the switch.
The priorities for learning IP addresses through snooping DHCP packets, ARP or ND packets, and HTTP/HTTPS requests are in descending order.
Make sure the service template is disabled when you execute this command.
Examples
# Enable snooping HTTP and HTTPS requests.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client ip-snooping http-learning enable
client ip-snooping ip-recover enable
Use client ip-snooping ip-recover enable to enable IP address recovery for reassociated clients.
Use undo client ip-snooping ip-recover enable to disable IP address recovery for reassociated clients.
Syntax
client ip-snooping ip-recover enable [ delay time ]
undo client ip-snooping ip-recover enable
Default
IP address recovery is disabled for reassociated clients.
Views
Service template view
Predefined user roles
network-admin
Parameters
delay time: Specifies the IP address recovery period, in the range of 5 to 300 seconds. The default value is 10.
Usage guidelines
This feature takes effect only on clients association of which is performed at the AC.
After a roaming, clients might fail to obtain new IP addresses through DHCP, DHCPv6, or ND for a long time, because the previously obtained addresses have not expired. If IP source guard is enabled, data packets from such clients will be discarded. To resolve the issue, you can enable IP address recovery for reassociated clients.
With this feature enabled, the AC reports the IP and MAC addresses of a client to the WLAN roaming center when the client leaves an AP. If the client fails to obtain a new address within the address recovery period after the roaming, it retrieves the old address from the WLAN roaming center for temporary network access.
After obtaining a new address, the client will update its address and use the new address to access the network.
Examples
# Enable IP address recovery for reassociated clients.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client ip-snooping ip-recover enable delay 5
Related commands
client ip-cache aging-time (WLAN Roaming Command Reference)
client ipv4-snooping arp-learning enable
Use client ipv4-snooping arp-learning enable to enable snooping ARP packets.
Use undo client ipv4-snooping arp-learning enable to disable snooping ARP packets.
Syntax
client ipv4-snooping arp-learning enable
undo client ipv4-snooping arp-learning enable
Default
Snooping ARP packets is enabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Disable snooping ARP packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv4-snooping arp-learning enable
client ipv4-snooping dhcp-learning enable
Use client ipv4-snooping dhcp-learning enable to enable snooping DHCPv4 packets.
Use undo client ipv4-snooping dhcp-learning enable to disable snooping DHCPv4 packets.
Syntax
client ipv4-snooping dhcp-learning enable
undo client ipv4-snooping dhcp-learning enable
Default
Snooping DHCPv4 packets is enabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Disable snooping DHCPv4 packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv4-snooping dhcp-learning enable
client ipv4-snooping dhcp-learning timeout
Use client ipv4-snooping dhcp-learning timeout to enable forced logoff of clients that fail to obtain an IPv4 address through DHCP within the specified timeout.
Use undo client ipv4-snooping dhcp-learning timeout to disable forced logoff of clients that fail to obtain an IPv4 address through DHCP.
Syntax
client ipv4-snooping dhcp-learning timeout value
undo client ipv4-snooping dhcp-learning timeout
Default
Forced logoff of clients that fail to obtain an IPv4 address through DHCP is disabled.
Views
Service template view
Predefined user roles
network-admin
Parameters
value: Specifies the timeout in the range of 1 to 600 seconds.
Usage guidelines
This command takes effect only on clients that come online from the AC after the command execution.
Examples
# Enable forced logoff of clients that fail to obtain an IPv4 address through DHCP and set the timeout to 180 seconds.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] client ipv4-snooping dhcp-learning timeout 180
client ipv6-snooping dhcpv6-learning enable
Use client ipv6-snooping dhcpv6-learning enable to enable snooping DHCPv6 packets.
Use undo client ipv6-snooping dhcpv6-learning enable to disable snooping DHCPv6 packets.
Syntax
client ipv6-snooping dhcpv6-learning enable
undo client ipv6-snooping dhcpv6-learning enable
Default
Snooping DHCPv6 packets is disabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Enable snooping DHCPv6 packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client ipv6-snooping dhcpv6-learning enable
client ipv6-snooping nd-learning enable
Use client ipv6-snooping nd-learning enable to enable snooping ND packets.
Use undo client ipv6-snooping nd-learning enable to disable snooping ND packets.
Syntax
client ipv6-snooping nd-learning enable
undo client ipv6-snooping nd-learning enable
Default
Snooping ND packets is disabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Disable snooping ND packets.
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv6-snooping nd-learning enable
client ipv6-snooping { dhcpv6-learning | nd-learning }
Use client ipv6-snooping { dhcpv6-learning | nd-learning } to configure VLAN-based DHCPv6 or ND packet snooping.
Use undo client ipv6-snooping { dhcpv6-learning | nd-learning } to disable DHCPv6 or ND packet snooping for the specified VLANs.
Syntax
client ipv6-snooping { dhcpv6-learning | nd-learning } vlan vlan-id-list
undo client ipv6-snooping { dhcpv6-learning | nd-learning } [ vlan vlan-id-list ]
Default
VLAN-based DHCPv6 or ND packet snooping is not configured. DHCPv6 or ND packets snooping allows a radio to snoop DHCPv6 or ND packets in all VLANs.
Views
Service template view
Predefined user roles
network-admin
Parameters
dhcpv6-learning: Specifies DHCPv6 packet snooping.
nd-learning: Specifies ND packet snooping.
vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each item specifies a VLAN ID or a range of VLAN IDs in the form of vlan-id1 to vlan-id2. The value range for VLAN IDs is 1 to 4094. The value for the vlan-id2 argument cannot be lower than the value for the vlan-id1 argument. If you do not specify this argument in the undo client ipv6-snooping { dhcpv6-learning | nd-learning } command, the command allows IPv6 address learning by using the specified method in all VLANs.
Usage guidelines
This feature takes effect only when DHCPv6 or ND packet snooping is enabled.
You can perform this task multiple times to specify an IPv6 address learning method for different VLANs.
You can specify a maximum of 50 VLANs for an IPv6 address learning method.
If you change the address learning method for a VLAN, the device can learn the IP address of a client by using the new method when either of the following conditions is met:
· The previously learned IP address of the client ages out.
· The client comes online from another radio.
Examples
# Configure DHCPv6 packet snooping to take effect in VLANs 30 through 60.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] client ipv6-snooping dhcpv6-learning vlan 30 to 60
Related commands
client ipv6-snooping dhcpv6-learning enable
client ipv6-snooping nd-learning enable
client ipv6-snooping snmp-nd-report enable
Use client ipv6-snooping snmp-nd-report enable to enable SNMP to obtain client IPv6 addresses learned from ND packets.
Use undo client ipv6-snooping snmp-nd-report enable to disable SNMP from obtaining client IPv6 addresses learned from ND packets.
Syntax
client ipv6-snooping snmp-nd-report enable
undo client ipv6-snooping snmp-nd-report enable
Default
SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.
Views
Service template view
Predefined user roles
Usage guidelines
Make sure the service template is disabled when you execute this command.
Examples
# Disable SNMP from obtaining client IPv6 addresses learned from ND packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv6-snooping snmp-nd-report enable
display wlan statistics client-ip-conflict
Use display wlan statistics client-ip-conflict to display statistics about clients with conflict IP addresses.
Syntax
display wlan statistics client-ip-conflict
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display statistics about clients with conflict IP addresses.
<Sysname> display wlan statistics client-ip-conflict
IP New-MAC/APID Old-MAC/APID Time
192.168.1.1 a4c1-5b79-fa5b/1 1111-e121-ff00/2 03-22 10:00:00
ff03::101 22d3-c5b7-a4b5/2 000d-88f8-0577/1 03-22 10:01:00
Table 1 Command output
|
Field |
Description |
|
IP |
Conflict IP obtained by the client. |
|
New-MAC/APID |
MAC address of the new client and the ID of the AP from which that client comes online. |
|
Old-MAC/APID |
MAC address of the old client and the ID of the AP to which the client is associated. |
|
Time |
Time when the client requested to add the IPCIM after it obtained a conflict IP address. |
wlan client ip-conflict-detection enable
Use wlan client ip-conflict-detection enable to enable IP address conflict detection.
Use undo wlan client ip-conflict-detection enable to disable IP address conflict detection.
Syntax
wlan client ip-conflict-detection enable
undo wlan client ip-conflict-detection enable
Default
IP address conflict detection is enabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
This feature enables the system to detect IP address conflicts between a client attempting to come online and online clients. The system logs off the online clients that use the same IP address as the new client and creates IP address conflict entries for the clients. The system deletes the IP address conflict entry for a client when the client cache expires or the client's IP address changes.
In an AC hierarchy network, you can disable IP address conflict detection on the central AC if portal authentication has been disabled or accounting has been disabled for 802.1X or MAC authentication clients. This allows clients from different local ACs to come online with the same IP address, simplifying DHCP configuration.
Examples
# Disable IP address conflict detection.
<Sysname> system
[Sysname] undo wlan client ip-conflict enable
Related commands
client cache aging-time (WLAN Access Command Reference)
