Dynamic arp inspection, Dai global configuration – Dell POWEREDGE M1000E User Manual

Configuring Switching Information

387

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI

prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other

stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests

or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a

binding database of valid {MAC address, IP address, VLAN, and interface} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address

do not match an entry in the DHCP snooping bindings database. You can optionally configure additional

ARP packet validation.
The Dynamic ARP Inspection menu page contains links to the following features:

• DAI Global Configuration
• DAI Interface Configuration
• DAI VLAN Configuration
• DAI ACL Configuration
• DAI ACL Rule Configuration
• DAI Statistics

DAI Global Configuration

Use the DAI Configuration page to configure global DAI settings.
To display the DAI Configuration page, click Switching > Dynamic ARP Inspection > Global

Configuration in the navigation tree.

Figure 7-101. Dynamic ARP Inspection Global Configuration