Why cannot a DAI-enabled S series switch forward valid ARP packets at line rate

28

For S series switches, in versions earlier than V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. Therefore, packets are directly forwarded at line rate. In V200R001 and later versions, a DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on factors such as the CPCAR value of the ARP packet and CPU usage.
For E series switches, a DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on factors such as the CPCAR value of the ARP packet and CPU usage.

Other related questions:
Why cannot a DAI-enabled switch forward valid ARP packets at line rate
In earlier versions of V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. Therefore, packets are directly forwarded at line rate. In V200R001 and later versions, the DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on the CIR value of the ARP packet and CPU usage.

Line rate forwarding of S series switches
Line rate forwarding indicates that no packet is lost when the maximum rate of an interface is reached. Total bandwidth provided by all interfaces of a switch = Number of interfaces x Interface rate x 2 (full-duplex mode) If the total bandwidth is less than or equal to the backplane bandwidth, data is forwarded at line rate on the backplane.

After DAI and EAI are enabled on an S series switch, why can the switch forward ARP packets sent by unauthorized users to request MAC addresses of authorized users
For S series switches: In earlier versions of V200R001, a DAI-enabled switch checks an incoming ARP packet against the binding table based on ACL rules delivered to the chip. An EAI-enabled switch sends the packet to the CPU. The CPU searches the outbound interface of the packet in the binding table and then forwards the packet using software. Both DAI and EAI are Layer 2 functions, but the ACL rule for sending ARP packets to the CPU delivered by EAI takes preference over that delivered by DAI. Therefore, DAI does not check ARP packets and the ARP packets sent by unauthorized users to request MAC addresses of authorized users can be normally forwarded. In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software, so this problem does not occur.

How to configure ARP packet rate limit on S series switcheses
For S series switcheses (except S1700 switches): You can configure the rate limit on ARP packets in one of the following methods as required: - Limiting the rate on ARP packets based on source MAC addresses (supported by the S5720EI, S5720HI, S6720EI, and all S series modular switches, but not supported by E series switches) # Set the maximum rate of ARP packets from the specified MAC address 0-0-1 to 50 pps. [HUAWEI] arp speed-limit source-mac 0-0-1 maximum 50 - Limiting the rate on ARP packets based on source IP addresses # Set the maximum rate of ARP packets from the specified IP address 10.0.0.1 to 50 pps. [HUAWEI] arp speed-limit source-ip 10.0.0.1 maximum 50 Limiting the rate on ARP packets globally, in a VLAN, or on an interface # Configure Layer 2 interface GE0/0/1 to allow 200 ARP packets to pass through in 10 seconds, and to discard all ARP packets in 60 seconds when the number of ARP packets exceeds the limit. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 block-timer 60 - Limiting the rate on ARP packets on a VLANIF interface of a super-VLAN # Set the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs to 500 pps. [HUAWEI] arp speed-limit flood-rate 500

Reason why S series switch cannot learn ARP entries
When an S series switch, except S1700, works at Layer 2, the switch does not have ARP entries and cannot learn ARP entries. When an S series switch, except S1700, works at Layer 3 and cannot learn ARP entries, rectify the fault as follows: (1) Possible cause: The link between the switch and connected device fails. Solution: Perform ping operations to check whether the link fails. If so, rectify the link failure. (2) Possible cause: ARP strict learning is enabled on the switch. (After this function is enabled, the switch learns only the ARP reply packets in response to the ARP request packets sent by itself.) Solution: Run the undo arp learning strict command in the system or interface view to disable ARP strict learning. (3) Possible cause: The switch has too many ARP entries and may suffer an ARP attack. Solution: Configure static ARP entries for key servers or users and enable attack defense policies. Note: (1) By default, ARP strict learning is enabled on some models among fixed switches and disabled on modular switches. When a fixed switch connected to a modular switch receives a gratuitous ARP packet, the fixed switch does not learn ARP entries. Therefore, some fixed switches cannot learn ARP entries. (2) After ARP strict learning is enabled on a switch, the switch actively sends ARP request packets to hosts. Some PCs with wireless network adapters installed do not respond to ARP requests, so the switch cannot learn the ARP entries of the connected PCs. The PCs respond only after the network adapters are restarted. In this situation, disable ARP strict learning.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top