|
|
|
|
|
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a binding database of valid {MAC address, IP address, VLAN, and interface} tuples. When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database. You can optionally configure additional ARP packet validation.
Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching > Dynamic ARP Inspection > DAI Configuration in the navigation menu.
Dynamic ARP Inspection Configuration
Field |
Description |
|---|---|
Validate Source MAC |
Select the DAI Source MAC Validation Mode for the switch. If you select Enable, Sender MAC validation for the ARP packets will be enabled. The default is Disable. |
Validate Destination MAC |
Select the DAI Destination MAC Validation Mode for the switch. If you select Enable, Destination MAC validation for the ARP Response packets will be enabled. The default is Disable. |
Validate IP |
Select the DAI IP Validation Mode for the switch. If you select Enable, IP Address validation for the ARP packets will be enabled. The default is Disable. |
Click Submit to apply the new configuration and cause the change to take effect. These changes will not be retained across a power cycle unless a Save configuration is performed.
Use the DAI VLAN Configuration page to select the DAI-capable VLANs for which information is to be displayed or configured. To display the DAI Configuration page, click Switching > Dynamic ARP Inspection > DAI VLAN Configuration in the navigation menu.
Dynamic ARP Inspection VLAN Configuration
Field |
Description |
|---|---|
VLAN ID |
Select the VLAN ID for which information is to be displayed or configured. |
Dynamic ARP Inspection |
Select whether Dynamic ARP Inspection is Enabled or Disabled on this VLAN. The default is Disable. |
Logging Invalid Packets |
Select whether Dynamic ARP Inspection logging is Enabled or Disabled on this VLAN. The default is Disable. |
ARP ACL Name |
The name of the ARP Access List. A VLAN can be configured to use this ARP ACL containing rules as the filter for ARP packet validation. The name can contain 1-31 alphanumeric characters. |
Static Flag |
Use this flag to determine whether the ARP packet needs validation using the DHCP snooping database, in case the ARP ACL rules do not match. If Enabled, the ARP Packet will be validated by the ARP ACL Rules only. If Disabled, the ARP Packet needs further validation by using the DHCP Snooping entries. The default is Disable. |
Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching > Dynamic ARP Inspection > DAI Interface Configuration in the navigation menu.
Dynamic ARP Inspection Interface Configuration
Field |
Description |
|---|---|
Interface |
Select the physical interface for which data is to be displayed or configured. |
Trust State |
Indicates whether the interface is trusted for Dynamic ARP Inspection. If you select Enable, the interface is trusted. ARP packets coming to this interface will be forwarded without checking. If you select Disable, the interface is not trusted. ARP packets coming to this interface will be subjected to ARP inspection. The default is Disable. |
Rate Limit |
Specify the rate limit value for Dynamic ARP Inspection. If the incoming rate exceeds the Rate Limit value for consecutively burst interval seconds, ARP packets will be dropped. If the value is None, there is no limit. The default is 15 packets per second (pps). |
Burst Interval |
Specify the burst interval for rate limiting on this interface. If the Rate Limit is None, the Burst Interval has no meaning and shows as N/A (Not Applicable). The default is 1 second. |
Use the DAI ARP ACL Configuration page to add or remove DAI ARP ACLs. To display the DAI ARP ACL Configuration page, click Switching>Dynamic ARP Inspection > DAI ARP ACL Configuration in the navigation menu.
Dynamic ARP Inspection ARP ACL Configuration
Field |
Description |
|---|---|
ARP ACL Name |
Use this field to create a new ARP ACL for Dynamic ARP Inspection. The name can be 1 to 31 alphanumeric characters in length. |
ARP ACL List |
Displays by name a list of all the configured ARP ACLs. Use the Remove column, to select the particular ACLs you want to delete. |
Use the DAI ARP ACL Rule Configuration page to add or remove DAI ARP ACL Rules. To display the DAI ARP ACL Rule Configuration page, click Switching > Dynamic ARP Inspection > DAI ARP ACL Rule Configuration in the navigation menu.
Dynamic ARP Inspection ARP ACL Rule Configuration
Field |
Description |
|---|---|
ARP ACL Name |
Select the ARP ACL for which information is to be displayed or configured. |
Sender IP Address |
To create a new rule for the selected ARP ACL, enter in this field the Sender IP Address match value for the ARP ACL. |
Sender MAC Address |
To create a new rule for the selected ARP ACL, enter in this field the Sender MAC Address match value for the ARP ACL. |
Remove |
Use the Remove column to select the particular ARP ACL Rules you want to delete. |
Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching > Dynamic ARP Inspection > DAI Statistics in the navigation menu.
Dynamic ARP Inspection Statistics
Field |
Description |
|---|---|
VLAN ID |
Select the DAI-enabled VLAN ID for which to display statistics. |
DHCP Drops |
The number of ARP packets that were dropped by DAI because there was no matching DHCP snooping binding entry found. |
ACL Drops |
The number of ARP packets that were dropped by DAI because there was no matching ARP ACL rule found for this VLAN and the static flag is set on this VLAN. |
DHCP Permits |
The number of ARP packets that were forwarded by DAI because there was a matching DHCP snooping binding entry found. |
ACL Permits |
The number or ARP packets that were permitted by DAI because there was a matching ARP ACL rule found for this VLAN. |
Bad Source MAC |
The number of ARP packets that were dropped by DAI because the sender MAC address in the ARP packet did not match the source MAC in the Ethernet header. |
Bad Dest MAC |
The number of ARP packets that were dropped by DAI because the target MAC address in the ARP reply packet did not match the destination MAC in the Ethernet header. |
Invalid IP |
The number of ARP packets that were dropped by DAI because the sender IP address in the ARP packet or target IP address in the ARP reply packet is not valid. Not valid addresses include 0.0.0.0, 255.255.255.255, IP multicast addresses, class E addresses (240.0.0.0/4), and loopback addresses (127.0.0.0/8). |
Forwarded |
The number of valid ARP packets forwarded by DAI. |
Dropped |
The number of not valid ARP packets dropped by DAI. |
Click Refresh to refresh the page with the most current data from the switch.