Feature |
Product |
Release introduced |
---|---|---|
Dynamic ARP Inspection (DAI) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in the network.
Without DAI, a malicious user can attack hosts, switches, and routers connected to the Layer 2 network by poisoning the ARP caches of systems connected to the subnet, and intercepting traffic intended for other hosts on the subnet. DAI prevents these attacks by intercepting, logging, and discarding the ARP packets with invalid IP to MAC address bindings.
The switch dynamically builds the address binding table from the information gathered from the DHCP requests and replies when DHCP Snooping is enabled. The switch pairs the MAC address from the DHCP request with the IP address from the DHCP reply to create an entry in the DHCP binding table. For more information, see Create DHCP Binding Table Entries.
When you enable DAI, the switch filters ARP packets on untrusted ports based on the source MAC and IP addresses seen on the switch port. The switch forwards an ARP packet when the source MAC and IP address matches an entry in the address binding table. Otherwise, the switch drops the ARP packet.
Note
For DAI to function, you must enable DHCP Snooping globally.
Configure DAI on a VLAN to VLAN basis.
Private VLANs (Etree)
SPBM B-VLANs
MLT port members