NETGEAR S3300-28X (GS728TX) 24x1GE - Инструкция по эксплуатации - Страница 126

Configure System Information 

126

S3300 Smart Managed Pro Switch 

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP 
packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station 
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting 
neighbors. The malicious attacker sends ARP requests or responses mapping another 
station’s IP address to its own MAC address.

When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender 
IP address do not match an entry in the DHCP snooping bindings database. You can 
optionally configure additional ARP packet validation.

When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical ports or LAGs) 
that are members of that VLAN. Individual interfaces are configured as trusted or untrusted. 
The trust configuration for DAI is independent of the trust configuration for DHCP snooping. 

Configure DAI on a VLAN and an Interface

In this example, DAI is enabled on VLAN 100. Ports 1-10 connect end users to the network 
and are members of VLAN 100. These ports are configured to limit the maximum number of 
ARP packets with a rate limit of 10 packets per second. LAG 1, which is also a member of 
VLAN 100 and contains ports 11-14, is the trunk port that connects the switch to the data 
center, so it is configured as a trusted port.

This example assumes VLAN 100 and LAG 1 have already been configured.



To configure DAI on a VLAN and an Interface:

1. 

Enable DAI on VLAN 1.

a.

Select 

System



>

 Services 

>

 Dynamic ARP Inspection 

>

 DAI VLAN Configuration.

b. 

Next to VLAN 1, select the check box

c. 

From the Admin Mode list, select 

Enable

.

Figure 72.  DAI VLAN Configuration

d. 

Click the 

Apply

 button.

2. 

Configure LAG 1, which includes ports 11-14, as a trusted port. All other interfaces are 
untrusted by default.