How to configure the DAI via CLI and SNMP on ECS4120 Series ? Follow
Dynamic ARP Inspection(DAI) is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination, dropping any invalid ARP packets.
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database – the DHCP snooping binding database or IP source guard binding database. ARP Inspection can also validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured IP addresses.
Topology:
Basic Configuration via CLI command:
Step 1: Enable the DHCPSNP function on global and VLAN 1.
Console(config)#ip dhcp snooping
Console(config)#ip dhcp snooping vlan 1
Step 2: Enable the DHCPSNP trust port on port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#ip dhcp snooping trust
Step 3: Enable the DAI function on global and VLAN 1.
Console(config)#ip arp inspection
Console(config)#ip arp inspection vlan 1
Console(config)#interface ethernet 1/1
Console(config-if)#ip arp inspection trust
Step 4: DHCP client gets the IP address from the DHCP server.
Step 5: The fake client sets the same IP address as the DHCP client and tries to send the ARP request packet.
Result: The switch will drop the ARP packet from the fake client.
Basic Configuration via SNMP:
[SNMPSET command format]
snmpset -v 2c -c private {switch ip} {daiGlobalStatus | daiVlanStatus | daiPortTrustStatus}.{daiVlanIndex | daiPortIfIndex} {integer} {value}
For daiGlobalStatus, OID 1.3.6.1.4.1.259.10.1.45.1.56.1.1
Set enabled(1) to enable dynamic ARP inspection globally.
Set disabled(2) to disable dynamic ARP inspection globally.
For daiVlanStatus, OID 1.3.6.1.4.1.259.10.1.45.1.56.2.1.1.2
This object indicates whether dynamic ARP inspection is enabled in this VLAN.
Set enabled(1) to enable dynamic ARP inspection on VLAN.
Set disabled(2) to disable dynamic ARP inspection on VLAN.
For daiVlanIndex,
This object indicates the VLAN ID on which dynamic ARP inspection is configured.
For daiPortTrustStatus, OID 1.3.6.1.4.1.259.10.1.45.1.56.3.1.1.2
This object indicates whether the port is trusted for dynamic ARP inspection.
Set enabled(1) to enable dynamic ARP inspection trust port.
Set disabled(2) to disable dynamic ARP inspection trust port.
For daiPortIfIndex,
The ifIndex value of the port.
Step 1: Enable the DAI function globally.
root@gavin:~# snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.4.1.259.10.1.45.1.56.1.1.0 i 1
Check the configuration on CLI and SNMP:
SNMP:
CLI:
Step 2: Enable the DAI function on VLAN 1. (daiVlanIndex=1)
root@gavin:~# snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.4.1.259.10.1.45.1.56.2.1.1.2.1 i 1
Check the configuration on CLI and SNMP:
SNMP:
CLI:
Step 3: Enable the DAI trust port on Port 1. (daiPortIfIndex=1)
root@gavin:~# snmpset -v 2c -c private 192.168.1.1 .1.3.6.1.4.1.259.10.1.45.1.56.3.1.1.2.1 i 1
Check the configuration on CLI and SNMP:
SNMP:
CLI:
Comments
0 comments
Please sign in to leave a comment.