Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure Port Dynamic ARP Inspection Function

Configuration Condition

Before configuring the port Dynamic ARP Inspection function, first complete the following task:

  • Configure the port IP Source Guard binding entry

Configure Port Dynamic ARP Inspection

After enabling the port DAI function, the system checks the validity of the ARP packet received by the port according to the IP Source Guard binding entry. The invalid packet is dropped and recorded in the logs.

The contents recorded in the logs include VLAN ID, receiving port, sending IP address, destination IP address, sending MAC address, destination MAC address and the number of the same invalid ARP packets. The user can analyze further according to the recorded log information, such as locate the host initiating the ARP packet.

By default, the log information is output periodically. We can control the recording, outputting and aging of the packet by configuring the output interval of the log. The log output interval serves as the basis of the following log parameters:

  • Log refresh period: Used to judge whether the logs need to output and age. If the configured log output interval is smaller than 5s, the log refresh period is equal to 1s. Otherwise, the log refresh period is equal to 1/5 of the log output interval.
  • Log age time: After the age time times out, the logs are deleted. The log age time is the log output interval.
  • Log token: In the log refresh period, the maximum number of the logs permitted to be recorded. The number of the log tokens is 15 multiples of the log refresh period.

After enabling the port DAI function, we can also configure the port ARP rate limitation function, that is, limit the number of the ARP packets that are processed every second, avoiding that the other protocol packets cannot be processed in time because the system processes lots of ARP packets for a long time.

note


  • The port ARP rate limitation function is to limit the number of the ARP packets that are processed every second, avoiding that the other protocol packets cannot be processed in time because the system processes lots of ARP packets for a long time. After the number of the ARP packets received in one second exceeds the rate threshold, the subsequent received ARP packets are dropped. If the ARP packets received by the port in successive 20s exceed the rate, disable the port to isolate the packet impact source.

Table 9-2 Configure the port Dynamic ARP Inspection function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

 

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Enable the port DAI function

ip arp inspection

Mandatory

 

By default, the port DAI function is disabled.

Configure the upper threshold of the ARP packets processed by the port

ip arp inspection rate-limit limit-value

Optional

 

By default, the upper threshold of the ARP packets processed by the port is 15pps.

Return to the global configuration mode

exit

-

Configure the number of the buffered logs

ip arp inspection log-buffer buffer-size

Optional

By default, the system can buffer 32 logs.

If it is configured as 0, it indicates that the logs are not buffered, that is, after detecting the invalid ARP packet, the logs are directly output to the terminal.

Configure the log output interval

ip arp inspection log-interval seconds

Optional

By default, the log output interval is 20s.

If it is configured as 0, it indicates that the logs are not buffered, that is, after detecting the invalid ARP packet, the logs are directly output to the terminal.

Configure the log output level

ip arp inspection log-level log-level

Optional

By default, the log output level is 6.

note


  • After the port DAI function is enabled, all ARP packets received by the port (broadcast ARP and unicast ARP) are re-directed to the CPU for detecting, software forwarding, log recording and so on. When the number of the ARP packets is large, they seriously consume CPU resources, so when the device communicates normally, it is not suggested to enable the port DAI function. When it is doubted that there is ARP spoofing attack in the network, it is necessary to enable the port DAI function to detect and locate.
  • In one port, the port DAI function cannot be used with the port security function at the same time.
  • After configuring the rate threshold of the port processing the ARP packets in the aggregation group configuration mode, the ARP packet rate threshold of each member port of the aggregation group is the value.
  • If the ARP packets received by the port in successive 20s exceed the upper threshold, but the port is not automatically disabled, it is necessary to refer to the Error-Disable chapter of the configuration manual.