Use this command to enable or disable dynamic ARP inspection (DAI) on a port or range of ports.
enable | Enables dynamic ARP inspection on the specified port or ports. |
disable | Disables dynamic ARP inspection on the specified port or ports |
inspection-only | Specifies that dynamic ARP inspection will inspect ARP packets, but will not populate the source MAC address to source IP address binding table. |
port-string | The port to configure for anti-spoofing ARP inspection. |
Anti-spoofing ARP inspection is disabled on all ports by default.
All command modes.
Man-in-the-middle (MITM) attacks can take advantage of ARP, allowing a hacker to redirect user traffic through his own device to and from the default gateway. This redirected packet can be used by the hacker to spy on the private information being sent from the user. Using gratuitous ARP replies, an attacker can manipulate other devices‘ ARP tables such that the attacker appears to be another user to a gateway or the gateway to other users on the network.
With anti-spoofing ARP inspection enabled, a source MAC address to source IP address binding database is utilized to ensure that ARP packets have legitimate source MAC address to source IP bindings. When ARP packets enter the switch, the source MAC address and source IP address are compared to the entry in the source MAC to IP address binding table. If the packet data conflicts with the table, the IP change causes the anti-spoofing threshold counter to increment. If the threshold is met, any configured actions are taken against the user. Actions can include sending a Syslog message, sending a notification, or quarantining the user based upon a quarantine policy. Thresholds and actions are configured in an anti-spoofing class using set antispoof class threshold-index
When DAI is enabled, the sender and target MAC and IP address bindings are inspected for reply packets and the sender MAC and IP address bindings are inspected for request packets. This information is used to populate the binding table. If DAI is enabled and the user‘s MAC address has been authenticated and exists in the multiauth session table, an entry in the binding table will be created. If DAI is set to inspection only, packets are only inspected and a new binding is not entered into the binding table. Successfully limiting reception of ARP packets to the bound addresses in the binding table prevents a malicious user from inserting itself between the end user and a gateway, poisoning a network device‘s ARP cache or performing MITM attacks.
This example shows how to enable anti-spoofing ARP inspection on ports ge.1.2 through ge.1.5:
System(rw)->set antispoof arp-inspection enable ge.1.2-5
This example shows how to configure anti-spoofing ARP inspection on ports ge.1.2 through ge.1.5 for packet inspection only:
System(rw)->set antispoof arp-inspection inspection-only ge.1.2-5