Disabling IP Learning in FlexConnect Mode

Disabling IP learning in FlexConnect mode

A disabling IP learning in FlexConnect mode feature is a WLAN configuration option that

  • prevents device tracking for clients in FlexConnect local switching scenarios

  • avoids IP theft errors by ensuring no device tracking is done for clients, and

  • supports overlapping IP address allocation across different sites.

IP address handling in FlexConnect local switching

In FlexConnect local switching scenarios, clients from the same sites may share the same address range, which can result in multiple clients being allocated or registered with the same IP address. The controller receives IP address information from the AP, and if more than one client attempts to use the same IP address, the controller discards the last device trying to register an already-used address as an IP theft event, potentially resulting in client exclusion.

The no ip mac-binding command ensures that no device tracking is done for clients, thus preventing the IP theft error.


Note

  • This feature is applicable only for IPv4 addresses.

  • Configuring ip overlap in FlexConnect Profile assists overlapping IP address support for clients across different sites in FlexConnect local switching.

Restrictions for disabling IP learning in FlexConnect mode

  • The wireless client ip deauthenticate command works by referring to the IP table binding entries directly. It does not work for client whose IPs are not learnt.

  • Overlapping IP addresses within a single site tag and across different site tags require different settings. Furthermore, if a single site tag contains overlapping IP addresses, L3 web authentication is necessary. However, L3 web authentication relies on IP addresses, and ensuring the uniqueness of IP addresses cannot be guaranteed, making this combination incorrect.

  • When IP Source Guard (IPSG) is enabled and multiple binding information is sent with the same IP and preference level (such as DHCP, ARP, and so on) to CPP, the CPP starts to ignore the later bindings after the first binding creation. Hence, you should not configure IPSG and disable IP MAC binding together. If IPSG and no ip mac-binding are configured together then IPSG does not work.

Disable IP learning in FlexConnect mode

Configure the wireless policy profile to disable IP learning in FlexConnect mode for improved client management.
Disabling IP learning in FlexConnect mode prevents the controller from learning client IP addresses through MAC binding, which can be useful in certain deployment scenarios where IP-MAC binding is not required or causes issues.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Configure the wireless profile policy.

Example:

Device(config)# wireless profile policy profile-policy-name

Example:

Device(config)# wireless profile policy test-profile-policy

Step 3

Disable the wireless policy profile.

Example:

Device(config-wireless-policy)# shutdown

Disabling the policy profile results in associated AP and client rejoining.

Step 4

Disable IP learning in FlexConnect mode.

Example:

Device(config-wireless-policy)# no ip mac-binding

Step 5

Enable the wireless policy profile.

Example:

Device(config-wireless-policy)# no shutdown

Step 6

Exit wireless policy configuration mode and return to privileged EXEC mode.

Example:

Device(config-wireless-policy)# exit
IP learning is disabled in FlexConnect mode, and the wireless policy profile is active.

MAC entry verification from database

This reference explains how to verify MAC address details from the database using the relevant CLI command.

To verify the MAC details from database, use the following command:


Device# show wireless device-tracking database mac
MAC VLAN IF-HDL IP
--------------------------------------------------------------------------------------------------
6c96.cff2.889a 64 0x90000008 9.9.64.175