What is dynamic arp inspection – Dell POWEREDGE M1000E User Manual

796

Snooping and Inspecting Traffic

What is Dynamic ARP Inspection?

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and

malicious ARP packets. DAI prevents a class of man-in-the-middle attacks

where an unfriendly station intercepts traffic for other stations by poisoning

the ARP caches of its unsuspecting neighbors. The malicious attacker sends

ARP requests or responses mapping another station’s IP address to its own

MAC address.
When DAI is enabled, the switch drops ARP packets whose sender MAC

address and sender IP address do not match an entry in the DHCP snooping

bindings database. You can optionally configure additional ARP packet

validation.
When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical

ports or LAGs) that are members of that VLAN. Individual interfaces are

configured as trusted or untrusted. The trust configuration for DAI is

independent of the trust configuration for DHCP snooping.

Optional DAI Features

If the network administrator has configured the option, DAI verifies that the

sender MAC address equals the source MAC address in the Ethernet header.

There is a configurable option to verify that the target MAC address equals

the destination MAC address in the Ethernet header. This check applies only

to ARP responses, since the target MAC address is unspecified in ARP

requests. You can also enable IP address checking. When this option is

enabled, DAI drops ARP packets with an invalid IP address. The following IP

addresses are considered invalid:

• 0.0.0.0
• 255.255.255.255
• all IP multicast addresses
• all class E addresses (240.0.0.0/4)
• loopback addresses (in the range 127.0.0.0/8)