Fortinet black logo

Devices Managed by FortiOS

Configuring dynamic ARP inspection (DAI)

Copy Link
Copy Doc ID b66bd869-148d-11eb-96b9-00505692583a:801171
Download PDF

Configuring dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface

edit vsw.test

set switch-controller-arp-inpsection {enable | disable}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit:

diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_serial_number>

Configuring dynamic ARP inspection (DAI)

DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.

To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.

After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:

config system interface

edit vsw.test

set switch-controller-arp-inpsection {enable | disable}

end

config switch-controller managed-switch

edit <FortiSwitch_serial_number>

config ports

edit <port_name>

arp-inspection-trust <untrusted | trusted>

next

end

next

end

Use the following CLI command to check DAI statistics for a FortiSwitch unit:

diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>

Use the following CLI command to delete DAI statistics for a specific VLAN:

diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_serial_number>