Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-WLAN IP snooping commands | 71.70 KB |
client ipv4-snooping arp-learning enable
client ipv4-snooping dhcp-learning enable
client ipv4-snooping dhcp-learning timeout
client ipv6-snooping dhcpv6-learning enable
client ipv6-snooping nd-learning enable
display wlan statistics client-ip-conflict
WLAN IP snooping commands
client ip-snooping acl
Use client ip-snooping acl to enable ACL-based learning of endpoint IP addresses.
Use undo client ip-snooping acl to restore the default.
Syntax
client ip-snooping acl acl-number
undo client ip-snooping acl
Default
ACL-based learning of endpoint IP addresses is disabled.
Views
Service template view
Predefined user roles
network-admin
Parameters
acl-number: Specifies a basic ACL by its number. The value range for this argument is 2000 to 2999.
Usage guidelines
|
|
CAUTION: After you configure a deny rule in the ACL to reject learning specific endpoint IP addresses, you must configure a permit rule following the deny rule. The permit rule must allow learning all endpoint IP addresses. Otherwise, the device cannot learn any endpoint IP addresses. |
After connecting to a wireless network, a wireless endpoint will carry vendor information and an IP address obtained from that wireless network. If the endpoint accesses another vendor's network or another network later, the device on the new network might learn an incorrect IP address from the endpoint. To resolve this issue, enable ACL-based learning of endpoint IP addresses. This feature enables the device to learn IP addresses of new endpoints based on rules of the specified ACL.
When a wireless endpoint connects to a wireless network, the device performs the following task:
1. Matches IP address of that wireless endpoint against the specified ACL.
2. Determines whether to learn the endpoint IP address based on the match result as follows:
¡ If the endpoint IP address matches a permit rule in the ACL, the device will learn the endpoint IP address.
¡ If the endpoint IP address matches a deny rule or cannot match any rule in the ACL, the device will not learn the endpoint IP address.
This feature takes effect only if snooping ARP or ND packets is enabled.
If you execute this command multiple times, only the most recent configuration takes effect.
Examples
# Enable ACL-based learning of endpoint IP addresses.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client ip-snooping acl 2000
client ipv4-snooping arp-learning enable
Use client ipv4-snooping arp-learning enable to enable snooping ARP packets.
Use undo client ipv4-snooping arp-learning enable to disable snooping ARP packets.
Syntax
client ipv4-snooping arp-learning enable
undo client ipv4-snooping arp-learning enable
Default
Snooping ARP packets is enabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Disable snooping ARP packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv4-snooping arp-learning enable
client ipv4-snooping dhcp-learning enable
Use client ipv4-snooping dhcp-learning enable to enable snooping DHCPv4 packets.
Use undo client ipv4-snooping dhcp-learning enable to disable snooping DHCPv4 packets.
Syntax
client ipv4-snooping dhcp-learning enable
undo client ipv4-snooping dhcp-learning enable
Default
Snooping DHCPv4 packets is enabled.
Views
Service template view
Predefined user roles
network-admin
Examples
# Disable snooping DHCPv4 packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv4-snooping dhcp-learning enable
client ipv4-snooping dhcp-learning timeout
Use client ipv4-snooping dhcp-learning timeout to set the timeout for IPv4 address learning through DHCP.
Use undo client ipv4-snooping dhcp-learning timeout to restore the default.
Syntax
client ipv4-snooping dhcp-learning timeout time
undo client ipv4-snooping dhcp-learning timeout
Default
The timeout is 0 and the system does not log off clients that fail to obtain an IPv4 address through DHCP.
Views
Service template view
Predefined user roles
network-admin
Parameters
time: Specifies the timeout in the range of 1 to 600 seconds.
Usage guidelines
With the timeout set, the system logs off clients that fail to obtain an IPv4 address through DHCP within the specified period.
Make sure the service template is enabled before you execute this command.
This configuration takes effect only on clients coming online afterwards from the AC.
Examples
# Set the timeout to 180 seconds for IPv4 address learning through DHCP.
<Sysname> system-view
[Sysname] wlan service-template 1
[Sysname-wlan-st-1] client ipv4-snooping dhcp-learning timeout 180
client ipv6-snooping dhcpv6-learning enable
Use client ipv6-snooping dhcpv6-learning enable to enable snooping DHCPv6 packets.
Use undo client ipv6-snooping dhcpv6-learning enable to disable snooping DHCPv6 packets.
Syntax
client ipv6-snooping dhcpv6-learning enable
undo client ipv6-snooping dhcpv6-learning enable
Default
Snooping DHCPv6 packets is enabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
With this feature enabled, the device learns the client IPv6 addresses through DHCPv6 and records the learned client IPv6 addresses and the client MAC addresses as WLAN IP Snooping binding entries. These binding entries are primarily used for 802.1X authentication and MAC authentication accounting functions.
Examples
# Disable snooping DHCPv6 packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] client ipv6-snooping dhcpv6-learning enable
client ipv6-snooping nd-learning enable
Use client ipv6-snooping nd-learning enable to enable snooping ND packets.
Use undo client ipv6-snooping nd-learning enable to disable snooping ND packets.
Syntax
client ipv6-snooping nd-learning enable
undo client ipv6-snooping nd-learning enable
Default
Snooping ND packets is enabled.
Views
Service template view
Predefined user roles
network-admin
Usage guidelines
With this feature enabled, the device learns the client IPv6 addresses through ND and records the learned client IPv6 addresses and the client MAC addresses as WLAN IP Snooping binding entries. These binding entries are primarily used for 802.1X authentication and MAC authentication accounting functions.
Examples
# Disable snooping ND packets.
<Sysname> system-view
[Sysname] wlan service-template service1
[Sysname-wlan-st-service1] undo client ipv6-snooping nd-learning enable
display wlan statistics client-ip-conflict
Use display wlan statistics client-ip-conflict to display statistics about clients with conflict IP addresses.
Syntax
display wlan statistics client-ip-conflict
Views
Any view
Predefined user roles
network-admin
network-operator
Examples
# Display statistics about clients with conflict IP addresses.
<Sysname> display wlan statistics client-ip-conflict
IP New-MAC/APID Old-MAC/APID Time
192.168.1.1 a4c1-5b79-fa5b/1 1111-e121-ff00/2 03-22 10:00:00
ff03::101 22d3-c5b7-a4b5/2 000d-88f8-0577/1 03-22 10:01:00
Table 1 Command output
|
Field |
Description |
|
IP |
Conflict IP obtained by the client. |
|
New-MAC/APID |
MAC address of the new client and the ID of the AP from which that client comes online. |
|
Old-MAC/APID |
MAC address of the old client and the ID of the AP to which the client is associated. |
|
Time |
Time when the client requested to add the IPCIM after it obtained a conflict IP address. |
