FAQ: The ip source check user-bind enable command executed in a VLAN view causes service interruption

12

[Problem Description]
1. Symptom
The ip source check user-bind enable command executed in a VLAN view causes service interruption.
2. Networking
Terminal �?S2700 �?S5700 (Gateway)
3. Configuration
#
dhcp enable
dhcp snooping enable
user-bind static ip-address 192.168.34.10 mac-address 80fa-0367-db33
#
vlan 34
dhcp snooping enable
ip source check user-bind enable
#
interface Ethernet0/0/2
port link-type access
port default vlan 34
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
[Alarm]
None.
[Troubleshooting]
Delete the ip source check user-bind enable command from the VLAN view and then run this command in an interface view to restore the services.
[Root Cause]
If a command is executed in the VLAN view, the command takes effect for all packets received by all interfaces in the VLAN, including the uplink interface GigabitEthernet0/0/1. Source IP addresses of Layer 3 packets received by the uplink interface are different, and the source MAC addresses are the MAC address of the S5700 switch. The packets that do not match any binding entry are discarded, causing service interruption.
[Summary and Suggestions]
1. Using the ip source check user-bind enable command or other commands related to IPSG in the VLAN view causes service interruption.
2. Before using the commands in the VLAN view, run the user-bind static mac-address command to bind the MAC address and IP address of the Layer 3 interface of the uplink gateway.

Other related questions:
In which views can IPSG be enabled on S series switches
IPSG can be enabled on an S series switch (except the S1700) in an interface or a VLAN view. Interface views include the Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, and port group view. Example 1: Enable IPSG in the GE0/0/1 view. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable Example 2: Enable IPSG in the VLAN 100 view. [HUAWEI] vlan 100 [HUAWEI-vlan100] ip source check user-bind enable

Device restart after the user-bind static command is executed
For S series switches excluding the S1700, in V100R006, running the user-bind static command on the S2700-SI or S3700-SI causes device restart. This issue is fixed in later versions. You can upgrade the switch to V200R001 or later version or install patch V100R006SPH022. To download the patch, click S2700 Downloads.

How do I enter the service-ip view on the SC?
To enter the service-ip view on the SC, perform the following operations: 1. Run the system-view command to enter the system view. 2. Run the security-config command to enter the security-config view. 3. Run the service-ip command to enter the service-ip view.

Some services are interrupted after IPSG is configured on an S series switch. Why
If some services are interrupted after IPSG is configured on an S series switch (except the S1700), possible causes include the following: 1. DHCP snooping is not enabled on a DHCP terminal or the DHCP terminal does not obtain an IP address again after DHCP snooping is enabled. As a result, the dynamic binding table does not contain correct information about the terminal. IP packets sent by the terminal are discarded, and the terminal cannot communicate with the network. Solution: Enable DHCP snooping on the terminal and make the terminal obtain an IP address again to generate a dynamic binding entry in the binding table. 2. No static binding entry corresponding to a static user is generated. As a result, the user cannot go online. Solution: Create a static binding entry for each authorized user connected to the switch. Note: After the ip source check user-bind enable command is configured on an interface or in a VLAN. The interface or VLAN matches all received IP packets against a binding table and discards those not matching the binding table.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top