Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a bindings database of valid tuples (MAC address, IP address, VLAN interface).
When DAI is enabled, the switch drops ARP packet if the sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database. However, it can be overcome through static mappings. Static mappings are useful when hosts configure static IP addresses, DHCP snooping cannot be run, or other switches in the network do not run dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a VLAN.
For more information, see the following support articles:
This article applies to the following managed switches and their respective firmware:
- M5300 - firmware version 10.0.0.x
-
- M5300-28G (GSM7228S)
- M5300-5G (GSM7252S)
- M5300-28G3 (GSM7328Sv2h2)
- M5300-52G3 (GSM7352Sv2h2)
- M5300-28G_POE+ (GSM7228PSv1h2)
- M5300-52G-POE+ (GSM7252PSv1h2)
- M5300-28GF3 (GSM7328FSv2)
- M4100 - firmware version 10.0.1.x
-
- M4100-26G (GSM7224v2h2)
- M4100-50G (GSM7248v2h2)
- M4100-26G-POE (GSM7226Pv1h1)
- M4100-50G-POE+ (GSM7248Pv1h1)
- M4100-26G-POE (FSM7226Pv1h1)
- M4100-50-POE (FSM7250Pv1h1)
- M4100-D12G (GSM5212v1h1)
- M4100-D10-POE (FSM5210Pv1h1)
- M7100 - firmware version 10.0.1.x
-
- XSM7224S - firmware version 9.0.1.x
Last Updated:03/29/2023
|
Article ID: 21808