Some services are interrupted after IPSG is configured on an S series switch. Why

20

If some services are interrupted after IPSG is configured on an S series switch (except the S1700), possible causes include the following:
1. DHCP snooping is not enabled on a DHCP terminal or the DHCP terminal does not obtain an IP address again after DHCP snooping is enabled. As a result, the dynamic binding table does not contain correct information about the terminal. IP packets sent by the terminal are discarded, and the terminal cannot communicate with the network.
Solution: Enable DHCP snooping on the terminal and make the terminal obtain an IP address again to generate a dynamic binding entry in the binding table.
2. No static binding entry corresponding to a static user is generated. As a result, the user cannot go online.
Solution: Create a static binding entry for each authorized user connected to the switch.

Note: After the ip source check user-bind enable command is configured on an interface or in a VLAN. The interface or VLAN matches all received IP packets against a binding table and discards those not matching the binding table.

Other related questions:
FAQ: The ip source check user-bind enable command executed in a VLAN view causes service interruption
[Problem Description] 1. Symptom The ip source check user-bind enable command executed in a VLAN view causes service interruption. 2. Networking Terminal �?S2700 �?S5700 (Gateway) 3. Configuration # dhcp enable dhcp snooping enable user-bind static ip-address 192.168.34.10 mac-address 80fa-0367-db33 # vlan 34 dhcp snooping enable ip source check user-bind enable # interface Ethernet0/0/2 port link-type access port default vlan 34 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 [Alarm] None. [Troubleshooting] Delete the ip source check user-bind enable command from the VLAN view and then run this command in an interface view to restore the services. [Root Cause] If a command is executed in the VLAN view, the command takes effect for all packets received by all interfaces in the VLAN, including the uplink interface GigabitEthernet0/0/1. Source IP addresses of Layer 3 packets received by the uplink interface are different, and the source MAC addresses are the MAC address of the S5700 switch. The packets that do not match any binding entry are discarded, causing service interruption. [Summary and Suggestions] 1. Using the ip source check user-bind enable command or other commands related to IPSG in the VLAN view causes service interruption. 2. Before using the commands in the VLAN view, run the user-bind static mac-address command to bind the MAC address and IP address of the Layer 3 interface of the uplink gateway.

Why does service interruption occur on some applications after the NAT or firewall function is configured on an AR router
The default timeout duration value of the session table may be smaller than the timeout duration of corresponding application (for example, voice service). As a result, the session table has timed out and aged before the application times out, and application packets transmitted after the session table has timed out are discarded. Run the firewall-nat session aging-time command to prolong the TCP/UDP timeout duration.

Why is service (such as voice) interrupted after being configured with NAT or firewall
The aging time of session table is shorter than the aging time of the service. The session table is aged out, while the service is not. The service packets sent after session table aging are discarded, so the service is interrupted. Run the firewall-nat session aging-time command to increase the TCP/UDP timeout interval.

IPSG does not take effect on an S series switch. What are the possible causes
If IPSG does not take effect on an S series switch (except the S1700), possible causes include the following: 1. A binding entry is incorrect. a. A static binding table is created using the user-bind static command. If the binding entry of a valid host is not in the binding table, add the host's binding entry to the binding table. If the host's entry exists in the binding table, check whether the MAC address in the entry is the same as the host's MAC address. If the network card of the host is replaced, the MAC address in the entry may not be updated. Check whether the host's entry contains VLAN information. Only when the interface connected to this host has been added to the correct VLAN, the switch allows the packets from the host to pass. b. A dynamic binding table is generated only when DHCP snooping is enabled, the interface connected to the DHCP server is configured as a trusted interface, and then the PC obtains a new IP address. 2. IPSG is not enabled in the specified interface or VLAN view. After a binding table is generated, the IPSG function must be enabled in the interface or VLAN view using the ip source check user-bind enable command. IPSG takes effect only on the interface or VLAN where it is enabled, and IPSG check is not performed on the interfaces or VLANs with IPSG disabled. Therefore, if IPSG does not take effect on an interface or in a VLAN, the IPSG function may not be enabled on this interface or in this VLAN. 3. IPSG is enabled in the VLAN to which the uplink interface belongs. IPSG is enabled on the user-side interface, namely, the downlink interface. If IPSG is enabled on the uplink interface, the packets returned by the gateway may be discarded. As a result, user service is interrupted. Solution: Disable IPSG in the VLAN to which the uplink interface belongs. 4. DHCP snooping is disabled or a DHCP snooping trusted interface is configured on the uplink interface or in the VLAN to which the uplink interface belongs. If DHCP snooping if disabled on an interface using the dhcp snooping disable command, or if a DHCP snooping trusted interface is configured on the interface using the dhcp snooping trusted command, the IPSG function on the interface or in the VLAN to which the interface belongs does not take effect. 5. Hardware ACL resources are insufficient. The hardware ACL resources are used by IPSG and other services. If the ACL resources are insufficient, IPSG cannot take effect. For example, you can run the display dhcp static user-bind all verbose command to view the IPSG status corresponding to static binding entries. If the value of IPSG Status is ineffective, IPSG of this entry does not take effect. The possible cause is that hardware ACL resources are insufficient. 6. A QoS traffic policy conflicts with IPSG. This situation may only occur in V1R6C05. When a QoS traffic policy conflicts with IPSG, the traffic behavior in the QoS traffic policy takes effect. In this situation, you need to modify service configurations.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top