11-User Access and Authentication Configuration Guide

HomeSupportResource CenterH3C Access Points Cloud Mode Configuration Guides(E2442 R2442)-6W10011-User Access and Authentication Configuration Guide
02-WLAN IP snooping configuration
Title Size Download
02-WLAN IP snooping configuration 77.00 KB

Configuring WLAN IP snooping

About WLAN IP snooping

WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, and ND packets and generate snooping entries that record client IP address, MAC address, and learning method. The entries will be used by AAA for 802.1X and MAC authentication client accounting.

Client IPv4 address learning

An AP learns client IPv4 addresses by using the following methods:

·     Snooping ARP packets sent by clients.

For more information about ARP, see Network Connectivity Configuration Guide.

·     Snooping DHCPv4 packets exchanged between client and server.

For more information about DHCP, see Network Connectivity Configuration Guide.

IP addresses learnt through snooping DHCPv4 packets have a higher priority than IP addresses learnt through snooping ARP packets.

Client IPv6 address learning

An AP learns client IPv6 addresses by using the following methods:

·     Snooping DHCPv6 packets exchanged between client and server.

For more information about DHCPv6, see Network Connectivity Configuration Guide.

·     Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.

For more information about ND, see Network Connectivity Configuration Guide.

IP addresses learnt through snooping DHCPv6 packets have a higher priority than IP addresses learnt through ND packets.

Disabling snooping ARP packets

About this task

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Disable snooping ARP packets.

undo client ipv4-snooping arp-learning enable

By default, snooping ARP packets is enabled.

Enabling snooping DHCPv4 packets

About this task

By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to enable snooping DHCPv4 packets and enable forced logoff of clients that fail to obtain an IPv4 address through DHCP within the specified timeout.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Enable snooping DHCPv4 packets.

undo client ipv4-snooping dhcp-learning enable

By default, snooping DHCPv4 packets is enabled.

4.     (Optional.) Enable forced logoff of clients that fail to obtain an IPv4 address through DHCP.

client ipv4-snooping dhcp-learning timeout value

By default, forced logoff of clients that fail to obtain an IPv4 address through DHCP is disabled.

Enabling snooping DHCPv6 packets

About this task

By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from DHCPv6 packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Enable snooping DHCPv6 packets.

client ipv6-snooping dhcpv6-learning enable

By default, snooping DHCPv6 packets is disabled.

Enabling snooping ND packets

About this task

By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from ND packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Enable snooping ND packets.

client ipv6-snooping nd-learning enable

By default, snooping ND packets is disabled.

Disabling SNMP from getting client IPv6 addresses learned from ND packets

About this task

By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. Perform this task to enable SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.

Procedure

1.     Enter system view.

system-view

2.     Create a service template and enter its view.

wlan service-template service-template-name

3.     Disable SNMP from getting client IPv6 addresses learned from ND packets.

undo client ipv6-snooping snmp-nd-report enable

By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.

WLAN IP snooping configuration examples

Example: Configuring WLAN IP snooping

Network configuration

As shown in Figure 1, configure the AP to learn the client's IP address only from DHCPv6 packets.

Figure 1 Network diagram

Procedure

# Configure wireless services. (Details not shown.)

For more information, see WLAN Access Configuration Guide.

# Disable snooping ND packets.

<AP> system-view

[AP] wlan service-template service

[AP-wlan-st-service] undo client ipv6-snooping nd-learning enable

# Enable snooping DHCPv6 packets.

[AP-wlan-st-service] client ipv6-snooping dhcpv6-learning enable

[AP-wlan-st-service] quit

Verifying the configuration

# Verify that the AP has learned the IPv6 address of the client.

[AP] display wlan client ipv6

MAC address    AP name              IPv6 address                            VLAN

84db-ac14-dd08 fatap                1::2:0:0:3                              1