The problem of not being able to perform unicast access after layer 2 isolation

Traditional networking, centralized forwarding.

The customer cannot achieve unicast access after configuring layer 2 isolation, but they only want to isolate broadcast and multicast, not unicast.

1. We have a solution for the customer's requirements. By following the configuration below, we can fulfill their needs:

user-isolation vlan xxx enable permit-unicast  // "permit-unicast": means that unicast is not isolated, only broadcast and multicast are isolated. If this parameter is not specified, it means that unicast, broadcast, and multicast are all isolated at the same time.

user-isolation vlan xxx permit-mac xxxx   // Allow the necessary MAC addresses, such as gateway, AC, etc.

vlan xxx

arp fast-reply enable   // Enable ARP answering function for AC.

2. Since it is centralized forwarding on-site, the above commands can be configured on the AC.

3. After configuring according to the above settings, it was found that unicast still cannot be pinged and cannot be reached. After executing "dis wlan client" on the AC, it was discovered that there are no IP addresses for all the devices in this VLAN, but normally, the "dis wlan client" command should be able to display the IP addresses of the devices. Why are the devices in this VLAN not displaying their IP addresses? We should check all the configurations related to this VLAN.

4. The configuration under the service template is a bit different from the regular configuration

#

wlan service-template 1

 ssid xxxx

 akm mode psk

 preshared-key pass-phrase cipher $c$3$Yj8FQRyHDETu5AxoXt8yg/fJ00Cc+S0tjWU11

 cipher-suite ccmp

 security-ie rsn

 undo client ipv4-snooping dhcp-learning enable

 undo client ipv4-snooping arp-learning enable

 service-template enable

#

Note:

 undo client ipv4-snooping dhcp-learning enable

 undo client ipv4-snooping arp-learning enable

The two commands disabled the function of learning client IPv4 addresses through ARP and DHCP. Therefore, the IP addresses of the clients cannot be seen on the AC, which leads to the inability of the AC to ARP quickly.

The problem has been identified.

After enabling the function of learning client IPv4 addresses through ARP and DHCP under the service template, the requirement of the clients has been achieved.