15-WLAN Configuration Guide (AC)

HomeSupportConfigure & DeployConfiguration GuidesH3C MSR810[2600][3600] Routers Configuration Guides(V7)-R0809-6W40015-WLAN Configuration Guide (AC)
16-WLAN IP snooping configuration
Title Size Download
16-WLAN IP snooping configuration 82.04 KB

Configuring WLAN IP snooping

About WLAN IP snooping

WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, ND, and HTTP/HTTPS packets and generate snooping entries that record client IP address, MAC address, and learning method. The entries will be used by AAA for 802.1X and MAC authentication client accounting or by IP Source Guard to determine whether to forward client packets. For more information about IP Source Guard, see Security Configuration Guide.

 

 

NOTE:

·     The term "AC" in this document refers to MSR routers that can function as ACs. For information about routers that can function as ACs, see "Compatibility of MSR routers and AC functionality."

·     In an AP+AC network, APs report snooping entries to the AC.

Client IPv4 address learning

An AP learns client IPv4 addresses by using the following methods:

·     Snooping ARP packets sent by clients.

For more information about ARP, see Layer 3IP Services Configuration Guide.

·     Snooping DHCPv4 packets exchanged between client and server.

For more information about DHCP, see Layer 3IP Services Configuration Guide.

·     Snooping HTTP/HTTPS requests redirected to the portal server.

For more information about portal authentication, see Security Configuration Guide.

The priorities for learning IP addresses through snooping DHCPv4 packets, ARP packets, and HTTP/HTTPS requests are in descending order.

Client IPv6 address learning

An AP learns client IPv6 addresses by using the following methods:

·     Snooping DHCPv6 packets exchanged between client and server.

For more information about DHCPv6, see Layer 3IP Services Configuration Guide.

·     Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.

For more information about ND, see Layer 3—IP Services Configuration Guide.

·     Snooping HTTP/HTTPS requests redirected to the portal server.

The priorities for learning IPv6 addresses through snooping DHCPv6 packets, ND packets, and HTTP/HTTPS requests are in descending order.

Restrictions: Hardware compatibility with WLAN IP snooping

For information about MSR routers that can function as ACs, see "Compatibility of hardware and AC functionality."

Disabling snooping ARP packets

About this task

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Disable snooping ARP packets.

undo client ipv4-snooping arp-learning enable

By default, snooping ARP packets is enabled.

Disabling snooping DHCPv4 packets

About this task

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from DHCPv4 packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Disable snooping DHCPv4 packets.

undo client ipv4-snooping dhcp-learning enable

By default, snooping DHCPv4 packets is enabled.

Enabling snooping DHCPv6 packets

About this task

By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from DHCPv6 packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Enable snooping DHCPv6 packets.

client ipv6-snooping dhcpv6-learning enable

By default, snooping DHCPv6 packets is disabled.

Enabling snooping ND packets

About this task

By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from ND packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Enable snooping ND packets.

client ipv6-snooping nd-learning enable

By default, snooping ND packets is disabled.

Disabling SNMP from getting client IPv6 addresses learned from ND packets

About this task

By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. Perform this task to enable SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Disable SNMP from getting client IPv6 addresses learned from ND packets.

undo client ipv6-snooping snmp-nd-report enable

By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.

Enabling snooping HTTP and HTTPS requests redirected to the portal server

About this task

Before a client passes portal authentication, all of its HTTP and HTTPS requests are redirected to the portal server. Perform this task to enable snooping of redirected HTTP and HTTPS requests for the AC to learn client IPv4 addresses.

For more information about portal authentication, see Security Configuration Guide.

Restrictions and guidelines

This feature can only be used to learn IP addresses of portal-authenticated clients.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Enable snooping HTTP and HTTPS requests redirected to the portal server.

client ip-snooping http-learning enable

By default, snooping HTTP and HTTPS requests is disabled.

WLAN IP snooping configuration examples

Example: Configuring WLAN IP snooping

Network configuration

As shown in Figure 1, configure the AP to learn the client's IPv6 address from DHCPv6 packets.

Figure 1 Network diagram

Procedure

# Configure wireless services. (Details not shown.)

For more information, see "Managing APs" and "Configuring WLAN access."

# Enable snooping DHCPv6 packets.

<AC> system-view

[AC] wlan service-template service

[AC-wlan-st-service] client ipv6-snooping dhcpv6-learning enable

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网