Login
- Table of Contents
-
- 03-WLAN Configuration Guides
- 00-Preface
- 01-AP management configuration
- 02-Radio management configuration
- 03-WLAN access configuration
- 04-WLAN security configuration
- 05-WLAN authentication configuration
- 06-WIPS configuration
- 07-WLAN QoS configuration
- 08-WLAN roaming configuration
- 09-WLAN load balancing configuration
- 10-WLAN radio resource measurement configuration
- 11-Channel scanning configuration
- 12-Band navigation configuration
- 13-WLAN high availability configuration
- 14-Wireless location configuration
- 15-AC hierarchy configuration
- 16-IoT AP configuration
- 17-WLAN probe configuration
- 18-Spectrum management configuration
- 19-WLAN optimization configuration
- 20-WLAN RRM configuration
- 21-WLAN IP snooping configuration
- 22-WLAN radio load balancing configuration
- 23-802.1X client configuration
- 24-IP source guard configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 21-WLAN IP snooping configuration | 113.52 KB |
Contents
Disabling snooping ARP packets
Enabling snooping DHCPv4 packets
Enabling snooping DHCPv6 packets
Configuring VLAN-based DHCPv6 or ND packet snooping
Disabling SNMP from getting client IPv6 addresses learned from ND packets
Enabling snooping HTTP and HTTPS requests redirected to the portal server
Enabling IP address conflict detection
Enabling IP address recovery for reassociated clients
Display and maintenance commands for WLAN IP snooping
WLAN IP snooping configuration examples
Example: Configuring WLAN IP snooping
Configuring WLAN IP snooping
About WLAN IP snooping
WLAN IP snooping enables an AP to learn clients' IP addresses through snooping ARP, DHCP, ND, and HTTP/HTTPS packets and generate snooping entries that record client IP address, MAC address, and learning method. The entries will be used by AAA for 802.1X and MAC authentication client accounting or by IP Source Guard to determine whether to forward client packets. For more information about IP Source Guard, see Security Configuration Guide.
In an AP+AC network, APs report snooping entries to the AC.
Client IPv4 address learning
An AP learns client IPv4 addresses by using the following methods:
· Snooping ARP packets sent by clients.
For more information about ARP, see Layer 3—IP Services Configuration Guide for the switch.
· Snooping DHCPv4 packets exchanged between client and server.
For more information about DHCP, see Layer 3—IP Services Configuration Guide for the switch.
· Snooping HTTP/HTTPS requests redirected to the portal server.
For more information about portal authentication, see Security Configuration Guide for the switch.
The priorities for learning IP addresses through snooping DHCPv4 packets, ARP packets, and HTTP/HTTPS requests are in descending order.
Client IPv6 address learning
An AP learns client IPv6 addresses by using the following methods:
· Snooping DHCPv6 packets exchanged between client and server.
For more information about DHCPv6, see Layer 3—IP Services Configuration Guide for the switch.
· Snooping ND packets, including Router Advertisement (RA) packets, Neighbor Solicitation (NS) packets, and Neighbor Advertisement (NA) packets sent by clients.
For more information about ND, see Layer 3—IP Services Configuration Guide for the switch.
· Snooping HTTP/HTTPS requests redirected to the portal server.
The priorities for learning IPv6 addresses through snooping DHCPv6 packets, ND packets, and HTTP/HTTPS requests are in descending order.
Disabling snooping ARP packets
About this task
By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to disable client IPv4 address learning from ARP packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Disable snooping ARP packets.
undo client ipv4-snooping arp-learning enable
By default, snooping ARP packets is enabled.
Enabling snooping DHCPv4 packets
About this task
By default, an AP learns client IPv4 addresses by snooping ARP and DHCPv4 packets. Perform this task to enable snooping DHCPv4 packets and enable forced logoff of clients that fail to obtain an IPv4 address through DHCP within the specified timeout.
Restrictions and guidelines
The forced client logoff configuration takes effect only on clients that come online from the AC afterwards.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping DHCPv4 packets.
undo client ipv4-snooping dhcp-learning enable
By default, snooping DHCPv4 packets is enabled.
4. (Optional.) Enable forced logoff of clients that fail to obtain an IPv4 address through DHCP.
client ipv4-snooping dhcp-learning timeout value
By default, forced logoff of clients that fail to obtain an IPv4 address through DHCP is disabled.
Enabling snooping DHCPv6 packets
About this task
By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from DHCPv6 packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping DHCPv6 packets.
client ipv6-snooping dhcpv6-learning enable
By default, snooping DHCPv6 packets is disabled.
Configuring VLAN-based DHCPv6 or ND packet snooping
About this task
By default, DHCPv6 or ND packet snooping allows a radio to snoop DHCPv6 or ND packets in all VLANs. You can perform this task to specify the VLANs on which DHCPv6 or ND packet snooping takes effect.
Restrictions and guidelines
VLAN-based DHCPv6 or ND packet snooping takes effect only when DHCPv6 or ND packet snooping is enabled.
You can perform this task multiple times to specify an IPv6 address learning method for different VLANs.
You can specify a maximum of 50 VLANs for an IPv6 address learning method.
If you change the address learning method for a VLAN, the device can learn the IP address of a client by using the new method when either of the following conditions is met:
· The previously learned IP address of the client ages out.
· The client comes online from another radio.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Configure VLAN-based DHCPv6 or ND packet snooping.
client ipv6-snooping { dhcpv6-learning | nd-learning } vlan vlan-id-list
By default, VLAN-based DHCPv6 or ND packet snooping is not configured. DHCPv6 or ND packets snooping allows a radio to snoop DHCPv6 or ND packets in all VLANs.
Enabling snooping ND packets
About this task
By default, an AP does not learn client IPv6 addresses. Perform this task to enable client IPv6 address learning from ND packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping ND packets.
client ipv6-snooping nd-learning enable
By default, snooping ND packets is disabled.
Disabling SNMP from getting client IPv6 addresses learned from ND packets
About this task
By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets. Perform this task to enable SNMP to obtain only client IPv6 addresses learned from DHCPv6 packets.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Disable SNMP from getting client IPv6 addresses learned from ND packets.
undo client ipv6-snooping snmp-nd-report enable
By default, SNMP obtains client IPv6 addresses learned from both DHCPv6 and ND packets.
Enabling snooping HTTP and HTTPS requests redirected to the portal server
About this task
Before a client passes portal authentication, all of its HTTP and HTTPS requests are redirected to the portal server. Perform this task to enable snooping of redirected HTTP and HTTPS requests for the AC to learn client IPv4 addresses.
For more information about portal authentication, see Security Configuration Guide for the switch.
Restrictions and guidelines
This feature can only be used to learn IP addresses of portal-authenticated clients.
Procedure
1. Enter system view.
system-view
2. Create a service template and enter its view.
wlan service-template service-template-name
3. Enable snooping HTTP and HTTPS requests redirected to the portal server.
client ip-snooping http-learning enable
By default, snooping HTTP and HTTPS requests is disabled.
Enabling IP address conflict detection
About this task
This feature enables the system to detect IP address conflicts between a client attempting to come online and online clients. The system logs off the online clients that use the same IP address as the new client and creates IP address conflict entries for the clients. The system deletes the IP address conflict entry for a client when the client cache expires or the client's IP address changes.
In an AC hierarchy network, you can disable IP address conflict detection on the central AC if portal authentication has been disabled or accounting has been disabled for 802.1X or MAC authentication clients. This allows clients from different local ACs to come online with the same IP address, simplifying DHCP configuration.
Procedure
1. Enter system view.
system-view
2. Enable IP address conflict detection.
wlan client ip-conflict-detection enable
By default, IP address conflict detection is enabled.
Enabling IP address recovery for reassociated clients
About this task
After a roaming, clients might fail to obtain new IP addresses through DHCP, DHCPv6, or ND for a long time, because the previously obtained addresses have not expired. If IP source guard is enabled, data packets from such clients will be discarded. To resolve the issue, you can enable IP address recovery for reassociated clients.
With this feature enabled, the AC reports the IP and MAC addresses of a client to the WLAN roaming center when the client leaves an AP. If the client fails to obtain a new address within the address recovery period after the roaming, it retrieves the old address from the WLAN roaming center for temporary network access.
After obtaining a new address, the client will update its address and use the new address to access the network.
Restrictions and guidelines
This feature takes effect only on clients association of which is performed at the AC.
Procedure
1. Enter system view.
system-view
2. Enter service template view.
wlan service-template service-template-name
3. Enable IP address recovery for reassociated clients.
client ip-snooping ip-recover enable [ delay time ]
By default, IP address recovery is disabled for reassociated clients.
Display and maintenance commands for WLAN IP snooping
Execute the display command in any view.
|
Task |
Command |
|
Display statistics about clients with conflict IP addresses. |
display wlan statistics client-ip-conflict |
WLAN IP snooping configuration examples
Example: Configuring WLAN IP snooping
Network configuration
As shown in Figure 1, configure the AP to learn the client's IPv6 address from DHCPv6 packets.
Procedure
# Configure wireless services. (Details not shown.)
For more information, see AP management and WLAN access configuration in the configuration guide.
# Enable snooping DHCPv6 packets.
<AC> system-view
[AC] wlan service-template service
[AC-wlan-st-service] client ipv6-snooping dhcpv6-learning enable
[AC-wlan-st-service] quit
Verifying the configuration
# Verify that the AC has learned the IPv6 address of the client.
[AC] display wlan client ipv6
MAC address AP name IPv6 address VLAN
84db-ac14-dd08 ap1 1::2:0:0:3 1
