After DAI and EAI are enabled on an S series switch, why can the switch forward ARP packets sent by unauthorized users to request MAC addresses of authorized users

4

For S series switches:
In earlier versions of V200R001, a DAI-enabled switch checks an incoming ARP packet against the binding table based on ACL rules delivered to the chip. An EAI-enabled switch sends the packet to the CPU. The CPU searches the outbound interface of the packet in the binding table and then forwards the packet using software. Both DAI and EAI are Layer 2 functions, but the ACL rule for sending ARP packets to the CPU delivered by EAI takes preference over that delivered by DAI. Therefore, DAI does not check ARP packets and the ARP packets sent by unauthorized users to request MAC addresses of authorized users can be normally forwarded.
In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software, so this problem does not occur.

Other related questions:
Why cannot a DAI-enabled S series switch forward valid ARP packets at line rate
For S series switches, in versions earlier than V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. Therefore, packets are directly forwarded at line rate. In V200R001 and later versions, a DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on factors such as the CPCAR value of the ARP packet and CPU usage. For E series switches, a DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on factors such as the CPCAR value of the ARP packet and CPU usage.

Why cannot a DAI-enabled switch forward valid ARP packets at line rate
In earlier versions of V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. Therefore, packets are directly forwarded at line rate. In V200R001 and later versions, the DAI-enabled switch checks ARP packets and forwards valid ARP packets using software. The forwarding rate depends on the CIR value of the ARP packet and CPU usage.

Strict ARP learning is enabled on S series switches, and the user has learned the switch's ARP entry. Why cannot the switch learn the user ARP entry by pinging the user
For S series switches: After strict ARP learning is enabled, the switch learns ARP entries only from the Reply packet sent in response to locally originated ARP Request packets. The firewall installed on the PC may prevent the PC from sending ARP Reply packets when receiving ARP Request packets, or the NIC on the computer cannot return ARP Reply packets. In this case, the switch cannot receive ARP Reply packets no matter whether the switch sends ping packets to the user or the user sends data packets to the switch to trigger ARP Miss messages. Therefore, the switch cannot learn the user's ARP entry. If this problem occurs on only a few users, configure static ARP entries for the users; if the problem happens on most users, disable strict ARP learning on the switch.

After I Enable ARP Gateway Anti-Collision, and Send Gateway Collision ARP Packets from a MAC Address, Why Can the MAC Address Not Forward Traffic
After the Address Resolution Protocol (ARP) anti-collision function detects gateway collision ARP packets, the system prohibits the source media access control (MAC) address from forwarding packets for three minutes.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top