After I enable DAI or IPSG on an interface, why can the interface still forward packets that do not match the binding table

17

If the dhcp snooping trusted command is run on the interface, the interface considers all packets to be valid and forwards all packets regardless of whether Dynamic ARP Inspection (DAI) or IP Source Guard (IPSG) is configured.

Other related questions:
After the DAI or IPSG function is enabled on an interface, why can the interface forward packets that do not match a bound list
Run the dhcp snooping trusted command on the AR router to check whether the DHCP snooping function is configured on the interface. If yes, all packets under this interface are considered valid and therefore can be forwarded, in spite of the fact that the DAI or IPSG function has been enabled on the interface.

With IPSG enabled, how will an S series switch process IP packets that do not match the binding table?
With IPSG enabled, an S series switch (except the S1700) checks IP packets against a DHCP snooping dynamic binding table or static binding table. Before the switch forwards an IP packet, it compares the source IP address, source MAC address, interface, or VLAN information in the IP packet with entries in the binding table. If a matching entry is found, the switch considers the IP packet as a valid packet and forwards it. Otherwise, the switch considers the IP packet as an attack packet and discards it. Whether an IP packet sent from a terminal connected to a port matches a binding entry or not has no effect on the status of the port (for example, the port will not change from the up state to the shutdown or error-disable state).

Reasons why IP packets matching binding entries are discarded a while after S series switch generates the dynamic binding table
After the dynamic binding table on the S series switches is generated for a while, If the IP packets that match the entries in the binding table are discarded, you need to check that the binding table still exists. The dynamic binding table has the aging time. If the IP address lease is not renewed after the aging time expires, the binding table ages out. As a result, the IP packets that match entries in the expired binding table are discarded.

Why cannot a DAI-enabled switch forward valid ARP packets at line rate
In earlier versions of V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. Therefore, packets are directly forwarded at line rate. In V200R001 and later versions, the DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on the CIR value of the ARP packet and CPU usage.

Types of packets checked by S series switches with IPSG enabled
For S series switches (except S1700 switches), IPSG takes effect only for IP packets (except DHCP packets) but not for packets of other types such as ARP or PPPoE. With IPSG enabled, an S series switch checks only IPv4 packets in versions earlier than V200R001 and checks all IPv4 and IPv6 packets in V200R001 and later versions.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top