Configuring dynamic ARP inspection (DAI)
DAI prevents man-in-the-middle attacks and IP address spoofing by checking that packets from untrusted ports have valid IP-MAC-address binding. DAI allows only valid ARP requests and responses to be forwarded.
To use DAI, you must first enable the DHCP-snooping feature, enable DAI, and then enable DAI for each VLAN. By default, DAI is disabled on all VLANs.
After enabling DHCP snooping with the set switch-controller-dhcp-snooping enable command, use the following CLI commands to enable DAI and then enable DAI for a VLAN:
config system interface
edit vsw.test
set switch-controller-arp-inpsection {enable | disable}
end
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
arp-inspection-trust <untrusted | trusted>
next
end
next
end
To check DAI statistics for a FortiSwitch unit:
diagnose switch-controller switch-info arp-inspection stats <FortiSwitch_serial_number>
To delete DAI statistics for a specific VLAN:
diagnose switch-controller switch-info arp-inspection stats-clear <VLAN_ID> <FortiSwitch_serial_number>
Monitoring ARP packets
Starting in FortiOS 7.4.4, you can monitor ARP packets for a specific VLAN on a DHCP-snooping trusted port of a managed switch and save the VLAN ID, MAC addresses, and IP addresses in the DHCP-snooping database. The static IP addresses can be used in RADIUS accounting.
To monitor ARP packets:
-
Enable DHCP snooping and enable the monitoring of ARP packets for a specific VLAN.
config system interface
edit <VLAN_ID>
set switch-controller-dhcp-snooping enable
set switch-controller-arp-inspection monitor
next
end
-
Enable the monitoring of ARP packets on a DHCP-snooping trusted port.
config switch-controller managed-switch
edit <FortiSwitch_serial_number>
config ports
edit <port_name>
set dhcp-snooping trusted
set allow-arp-monitor enable
next
end
next
end