DAI is enabled on an S series switches, and the source MAC address of an ARP packet is checked against the source MAC address in an Ethernet frame header. Why can an ARP packet with its source MAC address different from that in the Ethernet frame header pass the check

For S series switcheses:
In versions earlier than V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. However, the ARP packet must be sent to the CPU, and the check of the source MAC address in the ARP packet and that in the Ethernet frame header is performed by software. After the DAI check, the packet is not sent to the CPU, so the source MAC address in the ARP packet and that in the Ethernet frame header are not checked.
In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software. The ARP packet with its source MAC address different from that in the Ethernet frame header is discarded.

Scroll to top