Configure Port Dynamic ARP Inspection Function

Configuration Condition

Before configuring the port Dynamic ARP Inspection function, first complete the following task:

• Configure the port IP Source Guard binding entry

Configure Port Dynamic ARP Inspection

After enabling the port DAI function, the system checks the validity of the ARP packet received by the port according to the IP Source Guard binding entry. The invalid packet is dropped and recorded in the logs.

The contents recorded in the logs include VLAN ID, receiving port, sending IP address, destination IP address, sending MAC address, destination MAC address and the number of the same invalid ARP packets. The user can analyze further according to the recorded log information, such as locate the host initiating the ARP packet.

By default, the log information is output periodically. We can control the recording, outputting and aging of the packet by configuring the output interval of the log. The log output interval serves as the basis of the following log parameters:

• Log refresh period: Used to judge whether the logs need to output and age. If the configured log output interval is smaller than 5s, the log refresh period is equal to 1s. Otherwise, the log refresh period is equal to 1/5 of the log output interval.
• Log age time: After the age time times out, the logs are deleted. The log age time is the log output interval.
• Log token: In the log refresh period, the maximum number of the logs permitted to be recorded. The number of the log tokens is 15 multiples of the log refresh period.

After enabling the port DAI function, we can also configure the port ARP rate limitation function, that is, limit the number of the ARP packets that are processed every second, avoiding that the other protocol packets cannot be processed in time because the system processes lots of ARP packets for a long time.

• ---

  The port ARP rate limitation function is to limit the number of the ARP packets that are processed every second, avoiding that the other protocol packets cannot be processed in time because the system processes lots of ARP packets for a long time. After the number of the ARP packets received in one second exceeds the rate threshold, the subsequent received ARP packets are dropped. If the ARP packets received by the port in successive 20s exceed the rate, disable the port to isolate the packet impact source.

  ---

Table 9-2 Configure the port Dynamic ARP Inspection function

• ---

  After the port DAI function is enabled, all ARP packets received by the port (broadcast ARP and unicast ARP) are re-directed to the CPU for detecting, software forwarding, log recording and so on. When the number of the ARP packets is large, they seriously consume CPU resources, so when the device communicates normally, it is not suggested to enable the port DAI function. When it is doubted that there is ARP spoofing attack in the network, it is necessary to enable the port DAI function to detect and locate.
• In one port, the port DAI function cannot be used with the port security function at the same time.
• After configuring the rate threshold of the port processing the ARP packets in the aggregation group configuration mode, the ARP packet rate threshold of each member port of the aggregation group is the value.
• If the ARP packets received by the port in successive 20s exceed the upper threshold, but the port is not automatically disabled, it is necessary to refer to the Error-Disable chapter of the configuration manual.

  ---