How to configure dynamic ARP inspection (DAI) on S series switches

For S series switches (except S1700 switches): DAI prevents Man in The Middle (MITM) attacks on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, port number, and VLAN ID of the ARP packet with those in a binding table. If the ARP packet matches a binding entry, the device considers that the ARP packet is sent by an authorized user and allows the packet to pass through. If the ARP packet does not match any binding entry, the device considers the ARP packet as an attack packet and discards it.
You can enable DAI in the interface view or the VLAN view. When DAI is enabled in the interface view, the device checks all ARP packets received on the interface against the binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces that belong to the VLAN against the binding entries.
This function is available only for DHCP snooping scenarios.
# Configure DHCP snooping on the device and enable DAI on a user-side interface.
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the user-side interface.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional.
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the user-side interface.
[HUAWEI-GigabitEthernet1/0/1] quit

# Configure DHCP snooping on the device and enable DAI in the VLAN to which users belong.
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN to which users belong.
[HUAWEI-vlan100] quit
[HUAWEI] vlan 200
[HUAWEI-vlan200] dhcp snooping enable
[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional.
[HUAWEI-vlan200] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address.
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the VLAN to which users belong.
[HUAWEI-vlan100] quit

Scroll to top