DES-7200 Configuration Guide Chapter 10 Dynamic ARP Inspection Configuration
10-2
updates its ARP buffer using IPB and MACB.
With this model, device C will cause the corresponding relationship of ARP entries in device A
and device B incorrect. The policy is to broadcast ARP response to the network continuously.
The IP address in this response is IPA/IPB, and the MAC address is MACC. Then, ARP entries
(IPB and MACC) will exist in device A, and ARP entries (IPA and MACC) exist in device B.
Communication between device A and device B is changed to communication with device C,
which is unknown to devices A and B. Device C acts as an intermediary and it just modifies the
received packets appropriately and forwards to another device. This is the well-known man in
the middle attack.
10.1.2 Understanding DAI and
ARP Spoofing Attacks
DAI ensures that only legal ARP packets are forwarded by the device. It mainly performs the
following operations:
Intercept all the ARP request and response packets at the untrusted port that corresponds
to VLAN with the DAI inspection function enabled.
Check the validity of the intercepted ARP packets according to the setting of DHCP
database before further processing.
Drop the packets that do not pass the inspection.
Appropriately process the packets that pass the inspection and send them to the
destinations.
According to the DHCP snooping binding database, whether ARP packets is valid or not can
be checked . For details, refer to DHCP Snooping Configuration.
10.1.3 Interface Trust Status and
Network Security
ARP packets are checked according to the trust status of each port on the device. DAI check is
ignored for the packets that are received through trust ports and are considered as legal ARP
packets. DAI check will be performed strictly for the ARP packets that are received through
untrusted ports.
In a typical network configuration, layer 2 port connected to the network device should be set
as a trust port, and layer 2 port connected to the host device should be set as an untrusted
port.
Note
Incorrectly configuring a layer 2 port as an untrusted port may affect normal
communication of the network.
For specific configuration commands, refer to ip arp inspection trust, show ip arp inspection
interface.