< Home

Configuring Strict STA IP Address Learning Through DHCP

Prerequisites

Before configuring strict STA IP address learning through DHCPv6, enable the IPSG or ND snooping function.

Context

When a STA associates with an AP, the following situation occurs after strict STA IP address learning through DHCP is enabled:
  • If the STA obtains an IP address through DHCP, the AP will automatically report the IP address to the AC. The STA IP address can be used to maintain the mapping entries between STA IP addresses and MAC addresses.
  • If the STA uses a static IP address, configure related parameters to control the association of the STA with the AP.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run wlan

    The WLAN view is displayed.

  3. Run vap-profile name profile-name

    The VAP profile view is displayed.

  4. undo learn-client-address { ipv4 | ipv6 } disable

    STA address learning is enabled.

    By default, STA address learning is enabled.

  5. Strict STA IP address learning through DHCP is enabled.

    • If the STA obtains an IPv4 address, run the learn-client-address dhcp-strict [ blacklist enable ] command to enable strict STA IP address learning through DHCP.

      By default, strict STA IP address learning through DHCP is disabled.

    • If the STA obtains an IPv6 address, run the learn-client-address dhcpv6-strict [ blacklist enable ] command to enable strict STA IPv6 address learning through DHCPv6.

      By default, strict STA IPv6 address learning through DHCPv6 is disabled.

    Run the learn-client-address dhcp-strict [ blacklist enable ] command to enable strict STA IP address learning through DHCP.

    If the STA uses a static IP address:
    • If blacklist enable is specified, the STA will be added to the dynamic blacklist of the AP and cannot associate with the AP before the blacklist entry ages.
    • If blacklist enable is not specified, the STA can associate with the AP and the AP does not learn the STA IP address. In this case, enable IPSG to prevent communication through bogus IP addresses.

    • If strict STA IP address learning is disabled, you can manually configure static IP addresses. If a STA obtains an IP address dynamically using DHCP, goes online, and then statically modifies its IP address, the administrator cannot check the IP address change of this STA.

    • After strict STA IP address learning through DHCP is enabled, if the AC has learned the STA IP address through DHCP or statically, the STA using a bogus IP address will not be added to the blacklist. In this case, enable IPSG to prevent services from the bogus IP address from running.

    • After strict STA IP address learning is enabled, it is recommended that you run the ip source check user-bind enable and arp anti-attack check user-bind enable commands to enable IP source guard and dynamic ARP inspection so that STAs cannot communicate with the network before obtaining an IP address through DHCP.

    • A STA is added to the blacklist 2 minutes after going online.

Parent Topic: Configuring WLAN Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >