Overview Dynamic ARP Inspection
Dynamic ARP Inspection is called DAI for short. Discover and prevent the ARP spoofing attack by checking the validity of the ARP packet, improving the network security. The DAI function is divided to two kinds:
- Port DAI function: Check the validity of the ARP packet received by the specified port, so as to discover and prevent the ARP spoofing attack;
The basis of checking the validity of the ARP packet is the port IP Source Guard binding entry. The specific checking principle is as follows:
If the sending IP address, source MAC address and VLAN ID in the received ARP packet match with the port IP Source Guard binding entry, the ARP packet is valid packet and is forwarded. Otherwise, the ARP packet is invalid packet, drop it, and record the log information.
- Global DAI function: Check the validity of the ARP packets received by all ports, so as to prevent fake users from sending forged ARP packets, resulting in incorrect ARP entries.
The ARP message validity detection is based on the global IP source guard binding entry. The specific detection principle is as follows:
When in the received ARP packet, the IP address of the sender is the same as the IP address in the binding entry of the global IP source guard, but the source MAC address is different, judge the ARP packet as a forged packet, and drop it without recording the log information.
The port DAI, global DAI function also checks the effectiveness of the ARP packet. The specific checking principle is as follows:
When the source MAC address in the received ARP packet is different from the sending MAC address, the packet is ineffective packet, drop it and do not record the log information.
- Interface ARP Attack Detection: Do not perform validation detection for the ARP packet received on the specified interface. Only record the log information, which is used to detect the ARP attack.