IPSG does not take effect on an S series switch. What are the possible causes

3

If IPSG does not take effect on an S series switch (except the S1700), possible causes include the following:
1. A binding entry is incorrect.
a. A static binding table is created using the user-bind static command. If the binding entry of a valid host is not in the binding table, add the host's binding entry to the binding table. If the host's entry exists in the binding table, check whether the MAC address in the entry is the same as the host's MAC address. If the network card of the host is replaced, the MAC address in the entry may not be updated. Check whether the host's entry contains VLAN information. Only when the interface connected to this host has been added to the correct VLAN, the switch allows the packets from the host to pass.
b. A dynamic binding table is generated only when DHCP snooping is enabled, the interface connected to the DHCP server is configured as a trusted interface, and then the PC obtains a new IP address.

2. IPSG is not enabled in the specified interface or VLAN view.
After a binding table is generated, the IPSG function must be enabled in the interface or VLAN view using the ip source check user-bind enable command.
IPSG takes effect only on the interface or VLAN where it is enabled, and IPSG check is not performed on the interfaces or VLANs with IPSG disabled. Therefore, if IPSG does not take effect on an interface or in a VLAN, the IPSG function may not be enabled on this interface or in this VLAN.

3. IPSG is enabled in the VLAN to which the uplink interface belongs.
IPSG is enabled on the user-side interface, namely, the downlink interface. If IPSG is enabled on the uplink interface, the packets returned by the gateway may be discarded. As a result, user service is interrupted.
Solution: Disable IPSG in the VLAN to which the uplink interface belongs.

4. DHCP snooping is disabled or a DHCP snooping trusted interface is configured on the uplink interface or in the VLAN to which the uplink interface belongs.
If DHCP snooping if disabled on an interface using the dhcp snooping disable command, or if a DHCP snooping trusted interface is configured on the interface using the dhcp snooping trusted command, the IPSG function on the interface or in the VLAN to which the interface belongs does not take effect.

5. Hardware ACL resources are insufficient.
The hardware ACL resources are used by IPSG and other services. If the ACL resources are insufficient, IPSG cannot take effect.
For example, you can run the display dhcp static user-bind all verbose command to view the IPSG status corresponding to static binding entries. If the value of IPSG Status is ineffective, IPSG of this entry does not take effect. The possible cause is that hardware ACL resources are insufficient.

6. A QoS traffic policy conflicts with IPSG.
This situation may only occur in V1R6C05. When a QoS traffic policy conflicts with IPSG, the traffic behavior in the QoS traffic policy takes effect. In this situation, you need to modify service configurations.

Other related questions:
Why does IPSG fail to take effect
The possible causes are as follows: --Invalid binding entries A static binding table is created using the user-bind static command. A dynamic binding table is generated only after the DHCP snooping function is enabled. --IPSG not enabled on the specified interface or VLAN After a binding table is generated, the IPSG function must be enabled in the interface or VLAN view using the ip source check user-bind enable command. IPSG takes effect only on the interface or VLAN where it is enabled, and IPSG check is not performed on the interfaces or VALNs without IPSG enabled. Therefore, if IPSG does not take effect on an interface or in a VLAN, the IPSG function may not be enabled on this interface or in this VLAN. --Insufficient hardware ACL resources The hardware ACL resources are shared by IPSG and other services. If the ACL resources are insufficient, IPSG cannot take effect. For example, you can run the display dhcp static user-bind all verbose command to view the IPSG status corresponding to static binding entries. If the value of IPSG Status is ineffective, IPSG of this entry does not take effect. The possible reason is that hardware ACL resources are insufficient. --Conflict between IPSG and QoS traffic policy This situation may only occur in V1R6C05. When a QoS traffic policy conflicts with IPSG, the traffic behavior in the QoS traffic policy takes effect.

DHCP configuration on S series switch does not take effect
DHCP configuration may not take effect on an S series switch due to the following reasons: 1. DHCP server is disabled on the switch. 2. The DHCP address pool is configured incorrectly. 3. No IP network segment is specified on the interface connected to DHCP clients, or the specified IP network segment is on a different network segment from the address pool. 4. If ACL resources are exhausted, the DHCP commands run globally or on an interface will not take effect.

Types of packets checked by S series switches with IPSG enabled
For S series switches (except S1700 switches), IPSG takes effect only for IP packets (except DHCP packets) but not for packets of other types such as ARP or PPPoE. With IPSG enabled, an S series switch checks only IPv4 packets in versions earlier than V200R001 and checks all IPv4 and IPv6 packets in V200R001 and later versions.

Mechanism for ACL rules on S series switches to take effect
ACL rules on S series switches are classified into the following two modes: An ACL is bound to the traffic policy and delivered to the hardware of the LPU through the first mode. The second mode relates to software processing. An ACL prevents users from logging in through Telnet. After being sent to the CPU, packets are processed in the sequence that is specified during the configuration of the ACL. Rules in an ACL can be matched according to the depth first principle or the configuration order.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top