attacker can poison the ARP cache of a network device by sending an ARP response to
the device that directs all packets destined for a certain IP address to go to a different
MAC address instead.
To prevent MAC spoofing through gratuitous ARP and through other types of spoofing,
EX Series switches examine ARP responses through DAI.
DAI on EX Series Switches
DAI examines ARP requests and responses on the LAN and validates ARP packets. The
switch intercepts ARP packets from an access port and validates them against the DHCP
snooping database. If no IP-MAC entry in the database corresponds to the information
in the ARP packet, DAI drops the ARP packet and the local ARP cache is not updated
with the information in that packet. DAI also drops ARP packets when the IP address in
the packet is invalid.
Juniper Networks Junos operating system (Junos OS) for EX switches uses DAI for ARP
packets received on access ports because these ports are untrusted by default. Trunk
ports are trusted by default, so ARP packets bypass DAI on them.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled
for all VLANs. You can set an interface to be trusted for ARP packets by setting
dhcp-trusted
on that port.
For packets directed to the switch to which a network device is connected, ARP queries
are broadcast on the VLAN. The ARP responses to those queries are subjected to the
DAI check.
For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU overloading,
ARP packets destined for the Routing Engine are rate-limited.
If the DHCP server goes down and the lease time for an IP-MAC entry for a previously
valid ARP packet runs out, that packet is blocked.
Related
Documentation
Port Security for EX Series Switches Overview on page 2825
•
•
Understanding DHCP Snooping for Port Security on EX Series Switches on page 2829
•
Example: Configuring Port Security, with DHCP Snooping, DAI, MAC Limiting, and MAC
Move Limiting, on an EX Series Switch on page 2849
•
Example: Configuring DHCP Snooping, DAI , and MAC Limiting on an EX Series Switch
with Access to a DHCP Server Through a Second Switch on page 2873
•
Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing
Attacks on page 2866
•
Enabling Dynamic ARP Inspection (CLI Procedure) on page 2913
•
Enabling Dynamic ARP Inspection (J-Web Procedure) on page 2914
2837
Copyright © 2010, Juniper Networks, Inc.
Chapter 93: Port Security Overview
Summary of Contents for JUNOS OS 10.3 - SOFTWARE
Page 325: ...CHAPTER 17 Operational Mode Commands for System Setup 229 Copyright 2010 Juniper Networks Inc ...
Page 1323: ...CHAPTER 56 Operational Mode Commands for Interfaces 1227 Copyright 2010 Juniper Networks Inc ...
Page 2841: ...CHAPTER 86 Operational Commands for 802 1X 2745 Copyright 2010 Juniper Networks Inc ...
Page 3367: ...CHAPTER 113 Operational Mode Commands for CoS 3271 Copyright 2010 Juniper Networks Inc ...
Page 3435: ...CHAPTER 120 Operational Mode Commands for PoE 3339 Copyright 2010 Juniper Networks Inc ...
Page 3529: ...CHAPTER 126 Operational Mode Commands for MPLS 3433 Copyright 2010 Juniper Networks Inc ...