In which views can IPSG be enabled on S series switches

2

IPSG can be enabled on an S series switch (except the S1700) in an interface or a VLAN view.
Interface views include the Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, and port group view.
Example 1: Enable IPSG in the GE0/0/1 view.
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable

Example 2: Enable IPSG in the VLAN 100 view.
[HUAWEI] vlan 100
[HUAWEI-vlan100] ip source check user-bind enable

Other related questions:
In which views can IPSG be enabled on S series switches
IPSG can be enabled on an S series switch (except the S1700) in an interface or a VLAN view. Interface views include the Ethernet interface view, GE interface view, 40GE interface view, XGE interface view, 100GE interface view, Eth-Trunk interface view, and port group view. Example 1: Enable IPSG in the GE0/0/1 view. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] ip source check user-bind enable Example 2: Enable IPSG in the VLAN 100 view. [HUAWEI] vlan 100 [HUAWEI-vlan100] ip source check user-bind enable

Types of packets checked by S series switches with IPSG enabled
For S series switches (except S1700 switches), IPSG takes effect only for IP packets (except DHCP packets) but not for packets of other types such as ARP or PPPoE. With IPSG enabled, an S series switch checks only IPv4 packets in versions earlier than V200R001 and checks all IPv4 and IPv6 packets in V200R001 and later versions.

Some services are interrupted after IPSG is configured on an S series switch. Why
If some services are interrupted after IPSG is configured on an S series switch (except the S1700), possible causes include the following: 1. DHCP snooping is not enabled on a DHCP terminal or the DHCP terminal does not obtain an IP address again after DHCP snooping is enabled. As a result, the dynamic binding table does not contain correct information about the terminal. IP packets sent by the terminal are discarded, and the terminal cannot communicate with the network. Solution: Enable DHCP snooping on the terminal and make the terminal obtain an IP address again to generate a dynamic binding entry in the binding table. 2. No static binding entry corresponding to a static user is generated. As a result, the user cannot go online. Solution: Create a static binding entry for each authorized user connected to the switch. Note: After the ip source check user-bind enable command is configured on an interface or in a VLAN. The interface or VLAN matches all received IP packets against a binding table and discards those not matching the binding table.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top