Cause of semi-dynamic ARP configuration loss after S series switches are upgraded to V2R1

30

On S series switches (except S1700 switches), the semi-dynamic ARP of IP+MAC+VID (different from static ARP of IP+MAC+VID+interface) is valid only on sub-interfaces having the vlan-type dot1q command configured. Versions earlier than V200R001 support the vlan-type dot1q command on sub-interfaces, but the command cannot be successfully configured. In V200R001 and later versions, the vlan-type dot1q command and the semi-dynamic ARP configuration command are not supported on sub-interfaces.
Note: In versions earlier than V200R001, the semi-dynamic ARP of IP+MAC+VID can be configured on sub-interfaces that do not have the vlan-type dot1q command configured, but the configuration cannot take effect. Therefore, loss of this configuration does not affect services after an upgrade to V200R001.

Other related questions:
S series switches during the upgrade process unexpected power failure, upgrade failed
S series switches (except S1700) set to start from a large package after the reset, if any loss occurs in the process, the software that the package can not start normally, will find the last successful start of the large package file.

How to configure dynamic ARP inspection (DAI) on S series switches
For S series switches (except S1700 switches): DAI prevents Man in The Middle (MITM) attacks on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, port number, and VLAN ID of the ARP packet with those in a binding table. If the ARP packet matches a binding entry, the device considers that the ARP packet is sent by an authorized user and allows the packet to pass through. If the ARP packet does not match any binding entry, the device considers the ARP packet as an attack packet and discards it. You can enable DAI in the interface view or the VLAN view. When DAI is enabled in the interface view, the device checks all ARP packets received on the interface against the binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces that belong to the VLAN against the binding entries. This function is available only for DHCP snooping scenarios. # Configure DHCP snooping on the device and enable DAI on a user-side interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit # Configure DHCP snooping on the device and enable DAI in the VLAN to which users belong. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN to which users belong. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] dhcp snooping enable [HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-vlan200] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the VLAN to which users belong. [HUAWEI-vlan100] quit

Configure dynamic NAT on S series switches
S7700, S9700, and S9300 series modular switches use SPUs to support dynamic NAT.

What causes packet loss on the port of S series switches
For S series switches (except the S1700), packets will be discarded if traffic is too heavy or burst traffic occurs.

Static ARP configuration on S series switch
On an S series switch, except S1700, run the arp static command in the system view to configure a static ARP entry. When the outbound interface is an Ethernet interface, run the arp static ip-address mac-address interface interface-type interface-number command to configure a static ARP entry. When a VPN instance needs to be specified for the ARP entry, run the arp static ip-address mac-address vpn-instance vpn-instance-name command. To configure a short ARP entry (only contains IP address and MAC address mapping, without VLAN or outbound interface), run the arp static ip-address mac-address command. To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, VLAN ID is 10, and outbound interface is GE1/0/1, run: [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vid 10 interface gigabitethernet 1/0/1 - To configure a static ARP entry in which the IP address is 10.1.1.1, MAC address is 0efc-0505-86e3, and VPN instance is vpn1, run: [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] ipv4-family [HUAWEI-vpn-instance-vpn1-af-ipv4] quit [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] arp static 10.1.1.1 0efc-0505-86e3 vpn-instance vpn1

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top