Why are all IP packets and ARP packets still be discarded when DHCP snooping is disabled on a VLAN

1

This is because the function of checking IP and ARP packets is enabled on an interface. If this function is enabled, the IP and ARP packets cannot match the entries in the binding table and are therefore discarded.

Other related questions:
Reasons why all IP and ARP packets are still discarded when DHCP snooping is not enabled on S series switch
The function of checking IP and ARP packets is enabled on an interface. If this function is enabled, the IP and ARP packets cannot match entries in the binding table and are therefore discarded.

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

Reason for ping packet loss on S series switch
For S series modular switches: Ping packets sent from other devices to a switch are processed by the switch as fib-hit packets. The switch sends fib-hit packets to the CPU at the default CAR value to protect the CPU from being attacked by these packets. If the rate of ping packets sent to the CPU exceeds the CAR value, the switch discards the excess packets. To resolve the problem, set a larger CAR value for fib-hit packets.

What causes packet loss on the port of S series switches
For S series switches (except the S1700), packets will be discarded if traffic is too heavy or burst traffic occurs.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top