sta arp-nd-proxy before-assoc

Function

The sta arp-nd-proxy before-assoc command enables an AP to send ARP/ND proxy packets for a STA before the STA is successfully associated.

The undo sta arp-nd-proxy before-assoc command disables an AP from sending ARP/ND proxy packets for a STA before the STA is successfully associated.

By default, an AP does not send ARP/ND proxy packets for a STA before the STA is successfully associated.

Format

sta arp-nd-proxy before-assoc

undo sta arp-nd-proxy before-assoc

Parameters

None

Views

AP system profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an AP is enabled to send ARP/ND proxy packets for a STA before the STA succeeds in authentication or key negotiation, the Layer 2 switch connected to the AP will learn the MAC address of the STA. If an attack floods thousands of STA MAC addresses, the MAC address table on the switch will be seriously corrupted, bringing security risks. To avoid this issue, you can run the undo sta arp-nd-proxy before-assoc command to configure the AP to send ARP/ND proxy packets for a STA after the STA succeeds in authentication or key negotiation.

In scenarios with low security requirements, you can run the sta arp-nd-proxy before-assoc command to configure the AP to send ARP/ND proxy packets for a STA before the STA is successfully associated to improve link update efficiency.

Precautions

After the undo sta arp-nd-proxy before-assoc command is run on an AP, the AP does not send ARP/ND proxy packets for a STA that goes online in open or WEP mode.

Example

# Configure an AP to send ARP/ND proxy packets for a STA before the STA is successfully associated.

<HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] ap-system-profile name ap-system1
[HUAWEI-wlan-ap-system-prof-ap-system1] sta arp-nd-proxy before-assoc