Table of Contents
Advertisement
DAI on EX Series Switches
Related
Documentation
Copyright © 2010, Juniper Networks, Inc.
attacker can poison the ARP cache of a network device by sending an ARP response to
the device that directs all packets destined for a certain IP address to go to a different
MAC address instead.
To prevent MAC spoofing through gratuitous ARP and through other types of spoofing,
EX Series switches examine ARP responses through DAI.
DAI examines ARP requests and responses on the LAN and validates ARP packets. The
switch intercepts ARP packets from an access port and validates them against the DHCP
snooping database. If no IP-MAC entry in the database corresponds to the information
in the ARP packet, DAI drops the ARP packet and the local ARP cache is not updated
with the information in that packet. DAI also drops ARP packets when the IP address in
the packet is invalid.
Juniper Networks Junos operating system (Junos OS) for EX switches uses DAI for ARP
packets received on access ports because these ports are untrusted by default. Trunk
ports are trusted by default, so ARP packets bypass DAI on them.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled
for all VLANs. You can set an interface to be trusted for ARP packets by setting
on that port.
dhcp-trusted
For packets directed to the switch to which a network device is connected, ARP queries
are broadcast on the VLAN. The ARP responses to those queries are subjected to the
DAI check.
For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU overloading,
ARP packets destined for the Routing Engine are rate-limited.
If the DHCP server goes down and the lease time for an IP-MAC entry for a previously
valid ARP packet runs out, that packet is blocked.
Port Security for EX Series Switches Overview on page 2825
Understanding DHCP Snooping for Port Security on EX Series Switches on page 2829
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting, on an EX Series Switch on page 2849
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX Series Switch
with Access to a DHCP Server Through a Second Switch on page 2873
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing
Attacks on page 2866
Enabling Dynamic ARP Inspection (CLI Procedure) on page 2913
Enabling Dynamic ARP Inspection (J-Web Procedure) on page 2914
Chapter 93: Port Security Overview
2837
Advertisement
Chapters
Table of Contents
Troubleshooting
