Common ARP Operations : Configuring Dynamic ARP Detection

Latest reply: Jul 5, 2016 01:13:49 3391 1 0 0

Dynamic ARP inspection (DAI) is used to prevent Man in The Middle (MITM) attacks. If DAI is not configured, ARP entries of authorized users on the device may be updated by the pseudo ARP packets sent by attackers.

DAI is used to check ARP packets according to binding tables (dynamic and static DHCP binding tables).

When receiving an ARP packet, the device compares the source IP address, source MAC address, interface, and VLAN in the ARP packet with the information in the binding table. You can configure the parameters to be compared, for example, the source IP address and VLAN.
  • If the parameters match the table information, the user is authorized and the device allows the ARP packet to pass through.
  • If the parameters do not match the table information, the device considers that it is an attack packet and discards the packet.

# Configure DHCP snooping on the device and enable DAI on the interface connecting the device to the user side.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interface connecting the device to the DHCP server as a trusted interface. If DHCP snooping is deployed on the DHCP relay device, the trusted interface configuration is optional.
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static binding table on the device for the users configured with static IP addresses.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/1] quit

# Configure DHCP snooping on the device and enable DAI in the user-side VLAN.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN that the user device belongs to.
[HUAWEI-vlan100] quit
[HUAWEI] vlan 200
[HUAWEI-vlan200] dhcp snooping enable
[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the interface connecting the device to the DHCP server as a trusted interface. If DHCP snooping is deployed on the DHCP relay device, the trusted interface configuration is optional.
[HUAWEI-vlan200] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static binding table on the device for the users configured with static IP addresses.
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the user-side VLAN.
[HUAWEI-vlan100] quit
 
 
  • x
  • convention:

user_1763575
Created Jul 5, 2016 01:13:49 Helpful(0) Helpful(0)

Common ARP Operations : Configuring Dynamic ARP Detection

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login