Fortinet black logo

Administration Guide

Dynamic ARP inspection

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:500016
Download PDF

Dynamic ARP inspection

Dynamic ARP Inspection (DAI) prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. To use DAI, you must first enable the DHCP snooping feature and then enable DAI for each VLAN. See DHCP snooping.

Configuring DAI

Configuring DAI consists of the following steps:

  1. Enable DAI for each VLAN. By default, it is disabled.
  2. Enable DAI for the switch interface. By default, all interfaces are in an untrusted state. You must explicitly configure the trusted interfaces.

Enable DAI for each VLAN

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN.
  3. Enter the VLAN identifier.
  4. Enter a description for the new VLAN.
  5. Under DHCP Snooping, select Enable.
  6. Select Dynamic ARP Inspection.
  7. To save your changes, select Add at the bottom of the page.
Using the CLI:

config switch vlan

edit <vlan-id>

set arp-inspection {enable | disable}

next

end

Enable DAI for the switch interface

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select an interface and select Edit.
  3. Enter the VLAN identifier.
  4. Enter a description for the new VLAN.
  5. Select Untrusted or Trusted for DHCP Snooping.
  6. Select OK.
Using the CLI:

config switch interface

edit <interface-name>

set arp-inspection-trust <untrusted | trusted>

next

end

Checking ARP packets

Use the following command to see how many ARP packets have been dropped or forwarded:

	#diagnose switch arp-inspection stats

	vlan 100           arp-request               arp-reply
	-----------------------------------------------------------------------
	received                0                        0
	forwarded               0                        0
	dropped                 0                        0

Dynamic ARP inspection

Dynamic ARP Inspection (DAI) prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. To use DAI, you must first enable the DHCP snooping feature and then enable DAI for each VLAN. See DHCP snooping.

Configuring DAI

Configuring DAI consists of the following steps:

  1. Enable DAI for each VLAN. By default, it is disabled.
  2. Enable DAI for the switch interface. By default, all interfaces are in an untrusted state. You must explicitly configure the trusted interfaces.

Enable DAI for each VLAN

Using the GUI:
  1. Go to Switch > VLAN.
  2. Select Add VLAN.
  3. Enter the VLAN identifier.
  4. Enter a description for the new VLAN.
  5. Under DHCP Snooping, select Enable.
  6. Select Dynamic ARP Inspection.
  7. To save your changes, select Add at the bottom of the page.
Using the CLI:

config switch vlan

edit <vlan-id>

set arp-inspection {enable | disable}

next

end

Enable DAI for the switch interface

Using the GUI:
  1. Go to Switch > Interface > Physical.
  2. Select an interface and select Edit.
  3. Enter the VLAN identifier.
  4. Enter a description for the new VLAN.
  5. Select Untrusted or Trusted for DHCP Snooping.
  6. Select OK.
Using the CLI:

config switch interface

edit <interface-name>

set arp-inspection-trust <untrusted | trusted>

next

end

Checking ARP packets

Use the following command to see how many ARP packets have been dropped or forwarded:

	#diagnose switch arp-inspection stats

	vlan 100           arp-request               arp-reply
	-----------------------------------------------------------------------
	received                0                        0
	forwarded               0                        0
	dropped                 0                        0