Dynamic ARP inspection
Dynamic ARP Inspection (DAI) prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. To use DAI, you must first enable the DHCP snooping feature and then enable DAI for each VLAN. See DHCP snooping.
Configuring DAI
Configuring DAI consists of the following steps:
- Enable DAI for each VLAN. By default, it is disabled.
- Enable DAI for the switch interface. By default, all interfaces are in an untrusted state. You must explicitly configure the trusted interfaces.
Enable DAI for each VLAN
Using the GUI:
- Go to Switch > VLAN.
- Select Add VLAN.
- Enter the VLAN identifier.
- Enter a description for the new VLAN.
- Under DHCP Snooping, select Enable.
- Select Dynamic ARP Inspection.
- To save your changes, select Add at the bottom of the page.
Using the CLI:
config switch vlan
edit <vlan-id>
set arp-inspection {enable | disable}
next
end
Enable DAI for the switch interface
Using the GUI:
- Go to Switch > Interface > Physical.
- Select an interface and select Edit.
- Enter the VLAN identifier.
- Enter a description for the new VLAN.
- Select Untrusted or Trusted for DHCP Snooping.
- Select OK.
Using the CLI:
config switch interface
edit <interface-name>
set arp-inspection-trust <untrusted | trusted>
next
end
Checking ARP packets
Use the following command to see how many ARP packets have been dropped or forwarded:
#diagnose switch arp-inspection stats vlan 100 arp-request arp-reply ----------------------------------------------------------------------- received 0 0 forwarded 0 0 dropped 0 0