Related Documentation
- EX Series
- Enabling Dynamic ARP Inspection (J-Web Procedure)
- Example: Configuring Basic Port Security Features
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic
- Verifying That DAI Is Working Correctly
- Monitoring Port Security
- Understanding DAI for Port Security
- secure-access-port
- QFX Series
- Example: Configuring Basic Port Security Features
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Verifying That DAI Is Working Correctly
- Monitoring Port Security
- Understanding DAI for Port Security
- class-of-service
- secure-access-port
- SRX Series
- secure-access-port
- Additional Information
- secure-access-port
Enabling Dynamic ARP Inspection (CLI Procedure)
Dynamic ARP inspection (DAI) protects switches against ARP spoofing. DAI inspects ARP packets on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP cache poisoning.
This topic describes:
Enabling DAI
You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs.
To enable DAI on a VLAN or all VLANs:
- On a single VLAN:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan vlan-name arp-inspection - On all VLANs:
[edit ethernet-switching-options secure-access-port]
user@switch# set vlan all arp-inspection
Applying CoS Forwarding Classes to Prioritize Inspected Packets
You might need to use class of service (CoS) to protect packets from critical applications from being dropped during periods of network congestion and delay and you might also need the port security features of DHCP snooping on the same ports through which those critical packets are entering and leaving.
To apply CoS forwarding classes and queues to DAI packets:
- Create a user-defined forwarding class to be used for
prioritizing DAI packets:
[edit class-of-service]
user@switch# set forwarding-classes class class-name queue queue-number - Enable DAI on a specific VLAN or on all VLANs and apply
the desired forwarding class on the DAI packets:
- On a specific VLAN:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan vlan-name arp-inspection forwarding-class class-name - On all VLANs:
[edit ethernet-switching-options secure-access port]
user@switch# set vlan all arp-inspection forwarding-class class-name
- On a specific VLAN:
Related Documentation
- EX Series
- Enabling Dynamic ARP Inspection (J-Web Procedure)
- Example: Configuring Basic Port Security Features
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Example: Using CoS Forwarding Classes to Prioritize Snooped Packets in Heavy Network Traffic
- Verifying That DAI Is Working Correctly
- Monitoring Port Security
- Understanding DAI for Port Security
- secure-access-port
- QFX Series
- Example: Configuring Basic Port Security Features
- Example: Configuring DHCP Snooping, DAI , and MAC Limiting on a Switch with Access to a DHCP Server Through a Second Switch
- Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks
- Verifying That DAI Is Working Correctly
- Monitoring Port Security
- Understanding DAI for Port Security
- class-of-service
- secure-access-port
- SRX Series
- secure-access-port
- Additional Information
- secure-access-port
