For S series switches, can the IP address of a VLANIF interface in a DAI-enabled VLAN be successfully pinged

19

For S series switches, DAI is enabled in a VLAN or on a port in a VLAN, and VLANIF interfaces are configured in the VLAN. To successfully ping the IP address of the VLANIF interface from the VLAN or the port in the VLAN, the source IP address of the ping packet must match an entry in the static DHCP snooping binding table.

Other related questions:
Can the IP address of a VLANIF interface in a DAI-enabled VLAN be successfully pinged
Dynamic ARP Inspection (DAI) is enabled in a VLAN or on a physical interface in the VLAN, and VLANIF interfaces are configured in the VLAN. To successfully ping the IP address of the VLANIF interface from the VLAN or the physical interface in the VLAN, the source IP address of the ping packet must match an entry in the static DHCP snooping binding table.

An S series switch can successfully ping an IP address that does not exist
If an S series switch (a non-S1700 switch) can successfully ping an IP address that does not exist, there are reachable routes between the switch and the non-existent IP address. You can check the routing table or capture packets to locate the non-existent IP address. You need to analyze the reason why the switch can successfully ping the non-existent IP address and check whether such fault is related to the service configuration.

How to bind the IP address, MAC address, and interface
The Switch implements binding between an interface and a MAC address through the traffic policy and DHCP snooping. Then the interface allows only the packets with the bound MAC address and packets matching the DHCP snooping binding table to pass through. The Switch does support binding of IP address + MAC address + interface. For example, to configure Ethernet 0/0/1 to allow only the packets with the source MAC address being 0-02-02 apart from of the packets matching the DHCP snooping binding table, and discard other packets, do as follows: # Enable DHCP snooping globally. [HUAWEI] dhcp snooping enable# Create an ACL that permits only the packets with the source MAC address being 0-02-02. [HUAWEI] acl 4000 [HUAWEI-acl-L2-4000] rule permit source-mac 0-02-02 ffff-ffff-ffff [HUAWEI-acl-L2-4000] rule deny# Create a traffic classifier that matches ACL 4000. [HUAWEI] traffic classifier c1 [HUAWEI-classifier-c1] if-match acl 4000# Create a traffic behavior and a traffic policy. [HUAWEI] traffic behavior b1 [HUAWEI-behavior-b1] permit [HUAWEI] traffic policy p1 [HUAWEI-trafficpolicy-p1] classifier c1 behavior b1# Apply the traffic policy to Ethernet 0/0/1 so that the interface allows only the packets with the source MAC address 0-02-02 to pass through apart from of the packets matching the DHCP snooping binding table. In V100R005C00 and later versions, the configuration is as follows: [HUAWEI] interface Ethernet 0/0/1 [HUAWEI-Ethernet0/0/1] port default vlan 4094 [HUAWEI-Ethernet0/0/1] ip source check user-bind enable [HUAWEI-Ethernet0/0/1] traffic-policy p1 inbound

Whether S series switches support ping to the virtual IP address of the VRRP group
S series switches (S1700 excluded) allow user devices to ping a virtual IP address to serve the following purposes: - Monitors the operating status of the master in a VRRP group. Monitors communication between a user device and a network connected by a default gateway using the virtual IP address. Run the vrrp virtual-ip ping enable command to enable the ping to the virtual IP address.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top