How to configure dynamic ARP inspection (DAI) on S series switches

6

For S series switches (except S1700 switches): DAI prevents Man in The Middle (MITM) attacks on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, port number, and VLAN ID of the ARP packet with those in a binding table. If the ARP packet matches a binding entry, the device considers that the ARP packet is sent by an authorized user and allows the packet to pass through. If the ARP packet does not match any binding entry, the device considers the ARP packet as an attack packet and discards it.
You can enable DAI in the interface view or the VLAN view. When DAI is enabled in the interface view, the device checks all ARP packets received on the interface against the binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces that belong to the VLAN against the binding entries.
This function is available only for DHCP snooping scenarios.
# Configure DHCP snooping on the device and enable DAI on a user-side interface.
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the user-side interface.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional.
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the user-side interface.
[HUAWEI-GigabitEthernet1/0/1] quit

# Configure DHCP snooping on the device and enable DAI in the VLAN to which users belong.
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN to which users belong.
[HUAWEI-vlan100] quit
[HUAWEI] vlan 200
[HUAWEI-vlan200] dhcp snooping enable
[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional.
[HUAWEI-vlan200] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address.
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the VLAN to which users belong.
[HUAWEI-vlan100] quit

Other related questions:
How to configure dynamic ARP inspection (DAI) on S series switches
For S series switches (except S1700 switches): DAI prevents Man in The Middle (MITM) attacks on authorized user information. When a device receives an ARP packet, it compares the source IP address, source MAC address, port number, and VLAN ID of the ARP packet with those in a binding table. If the ARP packet matches a binding entry, the device considers that the ARP packet is sent by an authorized user and allows the packet to pass through. If the ARP packet does not match any binding entry, the device considers the ARP packet as an attack packet and discards it. You can enable DAI in the interface view or the VLAN view. When DAI is enabled in the interface view, the device checks all ARP packets received on the interface against the binding entries. When DAI is enabled in the VLAN view, the device checks ARP packets received on interfaces that belong to the VLAN against the binding entries. This function is available only for DHCP snooping scenarios. # Configure DHCP snooping on the device and enable DAI on a user-side interface. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit [HUAWEI] interface gigabitethernet 1/0/2 [HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-GigabitEthernet1/0/2] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the user-side interface. [HUAWEI-GigabitEthernet1/0/1] quit # Configure DHCP snooping on the device and enable DAI in the VLAN to which users belong. [HUAWEI] dhcp enable [HUAWEI] dhcp snooping enable ipv4 [HUAWEI] vlan 100 [HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN to which users belong. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] dhcp snooping enable [HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the network-side interface connected to the DHCP server as a trusted interface. If DHCP snooping is configured on a DHCP relay device, configuring a trusted interface is optional. [HUAWEI-vlan200] quit [HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure a static binding entry for a user with a static IP address. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the VLAN to which users belong. [HUAWEI-vlan100] quit

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

Configure egress ARP inspection (EAI) on S series switches
After EAI is enabled on an S series switch (except the S1700 switch�?, the switch restricts the scope of ARP packet forwarding. This function prevents broadcast of ARP packets in a VLAN and reduces the traffic volume in the VLAN. 1. In the VLAN view, run the dhcp snooping arp security enable command to enable EAI. By default, EAI is disabled. 2. (Optional) Run the dhcp snooping arp security isolate-forwarding-trust command to forward ARP packets to trusted interfaces when port isolation is enabled on both inbound and outbound interfaces. If port isolation is enabled on the interface connected to the user side, perform this configuration on the switch enabled with EAI and configure intra-VLAN proxy ARP on the uplink devices. By default, the function of forwarding ARP packets to trusted interfaces when port isolation is enabled on both inbound and outbound interfaces is disabled.

Delete ARP entries on S series switch
On an S series switch, except S1700, run the reset arp { all | dynamic [ ip ip-address [ vpn-instance vpn-instance-name ] ] | interface interface-type interface-number [ ip ip-address ] | static } command in the user view to delete ARP entries. The parameters are as follows: all: deletes all ARP entries. dynamic: deletes dynamic ARP entries. static: deletes static ARP entries. interface: deletes ARP entries on the specified interface. ip-address: deletes ARP entries of the specified IP address. vpn-instance: deletes ARP entries in the specified VPN instance. Run the undo arp static ip-address mac-address [ vpn-instance vpn-instance-name | [ vid vlan-id [ cevid ce-vid ] ] interface interface-type interface-number[.subinterface-number ] ] or undo arp static ip-address [ vpn-instance vpn-instance-name | vid vlan-id [ cevid ce-vid ] interface interface-type interface-number[.subinterface-number ] ] command in the system view to delete ARP entries.

Configure dynamic NAT on S series switches
S7700, S9700, and S9300 series modular switches use SPUs to support dynamic NAT.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top