dhcp session-mismatch

Function

The dhcp session-mismatch action offline command triggers online users whose physical location information changes but MAC addresses stay unchanged to go offline when these users resend DHCP.

The undo dhcp session-mismatch command restores the default configuration.

The dhcp session-mismatch action roam command configures an interface to update VLAN and interface information based on the DHCPv4 Discover or Request messages or DHCPv6 Solicit messages or ND RS messages sent by online users when the users roam to another AP.

The undo dhcp session-mismatch action roam command restores the default configuration.

By default, the online users whose physical location information changes but MAC addresses stay unchanged are not triggered to go offline when these users resend DHCP or ND requestion. An interface does not update VLAN and interface information based on the DHCPv4 Discover or Request messages or DHCPv6 Solicit messages or ND RS messages sent by online users when the users roam to another AP.

This command is supported only on the NetEngine 8000 F1A.

Format

dhcp session-mismatch action { offline | roam { ipv4 | ipv6 | nd } * }

undo dhcp session-mismatch [ action { offline | roam { ipv4 | ipv6 | nd } * } ]

Parameters

Parameter Description Value
action

The action when mismatch happens.

-
offline

Logs out online users to go offline.

-
ipv4

Allows an interface to update VLAN and interface information based on the DHCPv4 Discover or Request messages sent by online users when the users roam to another AP.

-
ipv6

Allows an interface to update VLAN and interface information based on the DHCPv6 Solicit messages sent by online users when the users roam to another AP.

-
nd

Allows an interface to update VLAN and interface information based on the ND RS messages sent by online users when the users roam to another AP.

-

Views

BAS interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
bras-control write

Usage Guidelines

Usage Scenario

In a WLAN scenario, when end users switch their SSIDs, their physical location information is changed, but their MAC addresses stay the same. In this situation, the end users resend DHCP or ND requests. Since the physical location information is changed but the MAC addresses stay the same, the device concludes that the resent DHCP or ND requests are attack packets and discards them. The device considers the end users are still online, but the end users may have gone offline. The device cannot sense that the end users are offline immediately. As a result, the end users cannot go online again quickly. You can run the dhcp session-mismatch action offline command to log out the end users when the end users resend DHCP or ND requests. After that, when the end users continue to send DHCP or ND requests, the end users can go online again quickly.

When a WLAN user roams between different APs, the user resends DHCPv4 Discover or Request messages or DHCPv6 Solicit messages for login from the new AP. Because the user's VLAN and interface information has changed (MAC address unchanged), the device considers the messages newly received from the user as attacks and then discards them. This prevents the device from immediately detecting that the WLAN user has logged off. As such, the user cannot rapidly log in from the new AP. To resolve this problem, run the dhcp session-mismatch action roam { ipv4 | ipv6 } * command.

Prerequisites

WLAN user roaming switchover has been enabled using the wlan-switch enable command.

Configuration Impact

Note:

If an attacker forges a MAC address to send a DHCP or ND request packet after you run this command, the normal online user is logged out. This may cause a potential security risk, exercise caution when you run this command.

After this command is run, the CPU usage may go up. To address the issue, run the dhcp connection chasten command or refer to Enabling One-to-Many Mapping Between One MAC Address and Many Sessions.

Precautions

In VS mode, this command is supported only by the admin VS.

This dhcp session-mismatch action {roam { ipv4 | ipv6 | nd } *} command does not support VE interfaces and PW-VE interfaces.

In an IPoE access scenario, after one-to-many mapping between one MAC address and multiple sessions is enabled, run the dhcp session-mismatch action offline command. After a user logs in from another interface, the user re-logs in as a new user, with no need for making the user log out from the original interface.

Example

# Log out online users whose physical location information changes but MAC addresses stay unchanged when these online users resend DHCP or ND requests.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/2.3
[*HUAWEI-GigabitEthernet0/1/2.3] commit
[~HUAWEI-GigabitEthernet0/1/2.3] bas
[~HUAWEI-GigabitEthernet0/1/2.3-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/2.3-bas] commit
[~HUAWEI-GigabitEthernet0/1/2.3-bas] dhcp session-mismatch action offline
# Configure an interface to use received DHCP Discover or Request messages to trigger roaming procedures for WLAN users roamed to this interface so that users can access the network again without re-authentication.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet0/1/16.3
[*HUAWEI-GigabitEthernet0/1/16.3] commit
[~HUAWEI-GigabitEthernet0/1/16.3] bas
[~HUAWEI-GigabitEthernet0/1/16.3-bas] access-type layer2-subscriber
[*HUAWEI-GigabitEthernet0/1/16.3-bas] commit
[~HUAWEI-GigabitEthernet0/1/16.3-bas] dhcp session-mismatch action roam ipv4
Parent Topic: IPoE Access Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >