Country/Region

Layer 2 isolation cannot provide unicast access

2023-12-27 14:44:18 Published
  • 0 Followed
  • 0Collected ,2804Browsed
Naomi

Network Topology

Traditional topology, using centralized forwarding.

Problem Description

Unicast access is not possible after configuring Layer 2 isolation, and customer requirements are to isolate broadcast multicast only, not unicast.

Process Analysis

1. For the customer's requirement, the following configuration can meet the customer's requirement:

user-isolation vlan xxx enable permit-unicast // permit-unicast: indicates that unicast is not isolated and only broadcast and multicast are isolated. If this parameter is not specified, it means to isolate unicast, broadcast, and multicast at the same time.
user-isolation vlan xxx permit-mac xxxx  // Put through the required MAC address, such as gateway, AC, etc.
vlan xxx
arp fast-reply enable // Enable ARP surrogate reply function for AC

2. The site is centralized forwarding, so the above command can be configured on the AC.

3. After configuring according to the above, it is found that unicast cannot ping each other. Run the command display wlan client on AC find that there is no IP address in the information of all the clients in this VLAN, and normally display wlan client command can see the IP address of the clients.

4. There are differences between the configuration under the service template and the regular configuration:

#
wlan service-template 1
 ssid xxxx
 akm mode psk
 preshared-key pass-phrase cipher $c$3$Yj8FQRyHDETu5AxoXt8yg/fJ00Cc+S0tjWU11
 cipher-suite ccmp
 security-ie rsn
 undo client ipv4-snooping dhcp-learning enable
 undo client ipv4-snooping arp-learning enable
 service-template enable
#
 undo client ipv4-snooping dhcp-learning enable
 undo client ipv4-snooping arp-learning enable

These two commands are disabling the function of learning client IPv4 address by ARP and DHCP. Therefore, the IP address of the client cannot be seen on the AC, which also leads to the AC not being able to ARP fast answer.

Solution

After enabling the function of learning client IPv4 addresses through ARP and DHCP under the service template, the customer's requirements are realized.

client ipv4-snooping dhcp-learning enable
client ipv4-snooping arp-learning enable
Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted