- Table of Contents
-
- 11-User Access and Authentication Configuration Guide
- 00-Preface
- 01-WLAN authentication configuration
- 02-WLAN IP snooping configuration
- 03-AAA configuration
- 04-802.1X configuration
- 05-802.1X client configuration
- 06-MAC authentication configuration
- 07-Port security configuration
- 08-Portal configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
02-WLAN IP snooping configuration | 77.00 KB |
Contents
Disabling snooping ARP packets
Enabling snooping DHCPv4 packets
Enabling snooping DHCPv6 packets
Disabling SNMP from getting client IPv6 addresses learned from ND packets
WLAN IP snooping configuration examples
Example: Configuring WLAN IP snooping
Configuring WLAN IP snooping
About WLAN IP snooping
WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, and ND packets and generate snooping entries that record client IP address, MAC address, and learning method. The entries will be used by AAA for 802.1X and MAC authentication client accounting.
Client IPv4 address learning
An AP learns client IPv4 addresses by using the following methods:
· Snooping ARP packets sent by clients.
For more information about ARP, see Network Connectivity Configuration Guide.
· Snooping DHCPv4 packets exchanged between client and server.
For more information about DHCP, see Network Connectivity Configuration Guide.
IP addresses learnt through snooping DHCPv4 packets have a higher priority than IP addresses learnt through snooping ARP packets.
Client IPv6 address learning
An AP learns client IPv6 addresses by using the following methods:
· Snooping DHCPv6 packets exchanged between client and server.
For more information about DHCPv6, see Network Connectivity Configuration Guide.
· Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.
For more information about ND, see Network Connectivity Configuration Guide.
IP addresses learnt through snooping DHCPv6 packets have a higher priority than IP addresses learnt through ND packets.
Disabling snooping ARP packets
About this task
By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Disable snooping ARP packets.
undo client ipv4-snooping arp-learning enable
By default, snooping ARP packets is enabled.
Enabling snooping DHCPv4 packets
About this task
By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to enable snooping DHCPv4 packets and enable forced logoff of clients that fail to obtain an IPv4 address through DHCP within the specified timeout.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping DHCPv4 packets.
undo client ipv4-snooping dhcp-learning enable
By default, snooping DHCPv4 packets is enabled.
4. (Optional.) Enable forced logoff of clients that fail to obtain an IPv4 address through DHCP.
client ipv4-snooping dhcp-learning timeout value
By default, forced logoff of clients that fail to obtain an IPv4 address through DHCP is disabled.
Enabling snooping DHCPv6 packets
About this task
By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from DHCPv6 packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping DHCPv6 packets.
client ipv6-snooping dhcpv6-learning enable
By default, snooping DHCPv6 packets is disabled.
Enabling snooping ND packets
About this task
By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from ND packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping ND packets.
client ipv6-snooping nd-learning enable
By default, snooping ND packets is disabled.
Disabling SNMP from getting client IPv6 addresses learned from ND packets
About this task
By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. Perform this task to enable SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Disable SNMP from getting client IPv6 addresses learned from ND packets.
undo client ipv6-snooping snmp-nd-report enable
By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.
WLAN IP snooping configuration examples
Example: Configuring WLAN IP snooping
Network configuration
As shown in Figure 1, configure the AP to learn the client's IP address only from DHCPv6 packets.
Procedure
# Configure wireless services. (Details not shown.)
For more information, see WLAN Access Configuration Guide.
# Disable snooping ND packets.
<AP> system-view
[AP] wlan service-template service
[AP-wlan-st-service] undo client ipv6-snooping nd-learning enable
# Enable snooping DHCPv6 packets.
[AP-wlan-st-service] client ipv6-snooping dhcpv6-learning enable
[AP-wlan-st-service] quit
Verifying the configuration
# Verify that the AP has learned the IPv6 address of the client.
[AP] display wlan client ipv6
MAC address AP name IPv6 address VLAN
84db-ac14-dd08 fatap 1::2:0:0:3 1