Table of Contents
Advertisement
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP
packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The malicious attacker sends ARP requests or responses mapping another
station's IP address to its own MAC address.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender
IP address do not match an entry in the DHCP snooping bindings database. You can
optionally configure additional ARP packet validation.
When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical ports or LAGs)
that are members of that VLAN. Individual interfaces are configured as trusted or untrusted.
The trust configuration for DAI is independent of the trust configuration for DHCP snooping.
Configure DAI on a VLAN and an Interface
In this example, DAI is enabled on VLAN 100. Ports 1-10 connect end users to the network
and are members of VLAN 100. These ports are configured to limit the maximum number of
ARP packets with a rate limit of 10 packets per second. LAG 1, which is also a member of
VLAN 100 and contains ports 11-14, is the trunk port that connects the switch to the data
center, so it is configured as a trusted port.
This example assumes VLAN 100 and LAG 1 have already been configured.
To configure DAI on a VLAN and an Interface:
1.
Enable DAI on VLAN 1.
a. Select System> Services > Dynamic ARP Inspection > DAI VLAN Configuration.
b. Next to VLAN 1, select the check box
c. From the Admin Mode list, select Enable.
Figure 72. DAI VLAN Configuration
d. Click the Apply button.
2.
Configure LAG 1, which includes ports 11-14, as a trusted port. All other interfaces are
untrusted by default.
S3300 Smart Managed Pro Switch
Configure System Information
126
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
