With IPSG enabled, how will an S series switch process IP packets that do not match the binding table?

1

With IPSG enabled, an S series switch (except the S1700) checks IP packets against a DHCP snooping dynamic binding table or static binding table. Before the switch forwards an IP packet, it compares the source IP address, source MAC address, interface, or VLAN information in the IP packet with entries in the binding table. If a matching entry is found, the switch considers the IP packet as a valid packet and forwards it. Otherwise, the switch considers the IP packet as an attack packet and discards it.
Whether an IP packet sent from a terminal connected to a port matches a binding entry or not has no effect on the status of the port (for example, the port will not change from the up state to the shutdown or error-disable state).

Other related questions:
Types of packets checked by S series switches with IPSG enabled
For S series switches (except S1700 switches), IPSG takes effect only for IP packets (except DHCP packets) but not for packets of other types such as ARP or PPPoE. With IPSG enabled, an S series switch checks only IPv4 packets in versions earlier than V200R001 and checks all IPv4 and IPv6 packets in V200R001 and later versions.

Options in binding tables configured for IPSG on S series switches
Options in binding tables configured for IPSG on S series switches (except S1700 switches) include the following: With IPSG enabled, an S series switch (except the S1700) checks IP packets against options in a binding table, which can be combinations of source IP addresses, source MAC addresses, VLANs, and interfaces. The following bindings can be configured in an interface view: Interface and IP address Interface and MAC address Interface, IP address, and MAC address Interface, IP address, and VLAN Interface, MAC address, and VLAN Interface, IP address, MAC address, and VLAN The following bindings can be configured in a VLAN view: VLAN and IP address VLAN and MAC address VLAN, IP address, and MAC address VLAN, IP address, and interface VLAN, MAC address, and interface VLAN, IP address, MAC address, and interface

Check binding tables for IPSG on S series switches
You can check binding tables for IPSG on S series switches (except S1700 switches) as follows: 1. Run the display dhcp static user-bind all command to check static binding entries. 2. Run the display dhcp snooping user-bind all command to check dynamic DHCP snooping binding entries.

Configure binding tables for IPSG (user-bind binding tables) on S series switches
Configure a binding table for IPSG (user-bind binding table) on an S series switch (except the S1700) as follows: �?Static binding table A static binding entry contains at least one of the following: IP address, MAC address, interface, VLAN, and IP address and MAC address. An interface cannot be bound to a VLAN to form a binding entry. For example, configure a static binding entry of VLAN 2 and IP address 1.1.1.1. [HUAWEI] user-bind static ip-address 1.1.1.1 vlan 2 Note: Static binding entries can be configured only in the system view. �?Dynamic binding table Enable DHCP snooping globally and on an interface. Generally, the interface directly or indirectly connected to the DHCP server or gateway is configured as a trusted interface. After DHCP snooping is enabled and the trusted interface is configured, user-side interfaces automatically generate dynamic binding entries based on received DHCP ACK packets. For example, enable DHCP snooping globally and on GE0/0/1, and configure G0/0/1 as a trusted interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] dhcp snooping enable [HUAWEI-GigabitEthernet0/0/1] dhcp snooping trusted Note: If both DHCP relay and VRRP are configured on a switch, DHCP snooping cannot be enabled. DHCP snooping cannot be enabled if the DHCP server is at the subordinate VLAN side and the DHCP client is at the principle VLAN side. After DHCP snooping is configured, the switch generates DHCP snooping entries for the hosts when the hosts go online again. Then IPSG takes effect. If you enable IPSG before the switch generates DHCP snooping dynamic binding entries, the switch rejects all packets except DHCP Request packets. In this situation, the hosts with dynamic IP addresses cannot communicate with each other. Therefore, before enabling the IPSG function, configure the DHCP snooping function to enable the switch to generate dynamic binding entries.

Reasons why IP packets matching binding entries are discarded a while after S series switch generates the dynamic binding table
After the dynamic binding table on the S series switches is generated for a while, If the IP packets that match the entries in the binding table are discarded, you need to check that the binding table still exists. The dynamic binding table has the aging time. If the IP address lease is not renewed after the aging time expires, the binding table ages out. As a result, the IP packets that match entries in the expired binding table are discarded.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top