< Home

Configuring DAI

Context

To prevent MITM attacks and theft on authorized user information, run the arp anti-attack check user-bind enable command to enable DAI. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface number, VLAN ID, or BD ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view, BD view, or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view or BD view, the device checks ARP packets received on interfaces belong to the VLAN or BD view based on binding entries.

If you want the device to generate alarms to notify the network administrator of a great number of discarded ARP packets that do not match binding entries, enable the alarm function for the ARP packets discarded by DAI. After the alarm function is enabled, the device will generate an alarm when the number of discarded ARP packets exceeds a specified threshold.

When ARP learning triggered by DHCP is enabled on the gateway, DAI can be enabled on the gateway.

This function is available only for DHCP snooping scenarios. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user. For details about the DHCP snooping configuration, see DHCP Snooping Configuration. For details on how to configure a static binding entry, see Configuring IPSG Based on a Static Binding Table.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    Or run vlan vlan-id

    Or run bridge-domain bd-id

    The interface view, BD, or VLAN view is displayed.

  3. Run arp anti-attack check user-bind enable

    DAI is enabled.

    When resources are sufficient, DAI can be enabled in a maximum of 10 VLANs.

    By default, DAI is disabled.

  4. (Optional) In the interface view, run arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *

    Or in the VLAN or BD view, run arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *

    Items for checking ARP packets based on binding entries are configured.

    By default, the check items consist of IP address, MAC address, BD ID, VLAN ID, and interface number.

    To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

    The IP addresses in binding entries can be IPv4 or IPv6 addresses. When the device compares IP addresses in ARP packets with binding entries, both IPv4 and IPv6 addresses are checked.

    Items for checking ARP packets based on binding entries do not take effect on user hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

    When DAI is enabled in a VLAN and on an interface that belongs to the VLAN simultaneously, the device checks the ARP packet based on the check items configured on the interface. If the ARP packet passes the check, the device checks the packet again based on the check items configured in the VLAN.

    When DAI is enabled in a BD and on an interface that belongs to the BD simultaneously, the device checks the ARP packet based on the check items configured in the BD. If the ARP packet passes the check, the device checks the packet again based on the check items configured on the interface.

  5. (Optional) In the interface view, run arp anti-attack check user-bind alarm enable

    The alarm function for ARP packets discarded by DAI is enabled.

    By default, the alarm function for ARP packets discarded by DAI is disabled.

    This type of alarm is generated for the ARP packets discarded by DAI on interfaces. Do not run the arp anti-attack check user-bind enable command in a VLAN and the arp anti-attack check user-bind alarm enable command on an interface in this VLAN at the same time. Otherwise, the actual number of discarded ARP packets in the VLAN is different from the number of discarded packets on the interface.

  6. (Optional) In the interface view, run arp anti-attack check user-bind alarm threshold threshold

    The alarm threshold of ARP packets discarded by DAI is set.

    By default, the threshold on an interface is consistent with the threshold set by the arp anti-attack check user-bind alarm threshold threshold command in the system view. If the alarm threshold is not set in the system view, the default threshold on the interface is 100.

Parent Topic: Configuring Defense Against ARP Spoofing Attacks
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >