Types of packets checked by S series switches with IPSG enabled

3

For S series switches (except S1700 switches), IPSG takes effect only for IP packets (except DHCP packets) but not for packets of other types such as ARP or PPPoE. With IPSG enabled, an S series switch checks only IPv4 packets in versions earlier than V200R001 and checks all IPv4 and IPv6 packets in V200R001 and later versions.

Other related questions:
Options in binding tables configured for IPSG on S series switches
Options in binding tables configured for IPSG on S series switches (except S1700 switches) include the following: With IPSG enabled, an S series switch (except the S1700) checks IP packets against options in a binding table, which can be combinations of source IP addresses, source MAC addresses, VLANs, and interfaces. The following bindings can be configured in an interface view: Interface and IP address Interface and MAC address Interface, IP address, and MAC address Interface, IP address, and VLAN Interface, MAC address, and VLAN Interface, IP address, MAC address, and VLAN The following bindings can be configured in a VLAN view: VLAN and IP address VLAN and MAC address VLAN, IP address, and MAC address VLAN, IP address, and interface VLAN, MAC address, and interface VLAN, IP address, MAC address, and interface

Check binding tables for IPSG on S series switches
You can check binding tables for IPSG on S series switches (except S1700 switches) as follows: 1. Run the display dhcp static user-bind all command to check static binding entries. 2. Run the display dhcp snooping user-bind all command to check dynamic DHCP snooping binding entries.

In which views can IPSG be enabled on S series switches
IPSG can be enabled on an S series switch (except the S1700) in an interface or a VLAN view. Interface views include the Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, and port group view. Example 1: Enable IPSG in the GE0/0/1 view. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable Example 2: Enable IPSG in the VLAN 100 view. [HUAWEI] vlan 100 [HUAWEI-vlan100] ip source check user-bind enable

DHCP packet checksum check on S series switch
After the dhcp enable command is executed in the system view of S series switches, the switch checks the checksum of all passing DHCP packets as well as IP and UDP checksums.

Some services are interrupted after IPSG is configured on an S series switch. Why
If some services are interrupted after IPSG is configured on an S series switch (except the S1700), possible causes include the following: 1. DHCP snooping is not enabled on a DHCP terminal or the DHCP terminal does not obtain an IP address again after DHCP snooping is enabled. As a result, the dynamic binding table does not contain correct information about the terminal. IP packets sent by the terminal are discarded, and the terminal cannot communicate with the network. Solution: Enable DHCP snooping on the terminal and make the terminal obtain an IP address again to generate a dynamic binding entry in the binding table. 2. No static binding entry corresponding to a static user is generated. As a result, the user cannot go online. Solution: Create a static binding entry for each authorized user connected to the switch. Note: After the ip source check user-bind enable command is configured on an interface or in a VLAN. The interface or VLAN matches all received IP packets against a binding table and discards those not matching the binding table.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top