No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720GFR, S2700, S5700, and S6720 V200R010C00 Web-based Configuration Guide

This document describes the configuration and maintenance of device through the web network management system. The web network management system provides the functions of viewing device information and managing the entire system, interfaces, services, ACL, QoS, routes, security, and tools.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
DAI

DAI

Dynamic ARP inspection (DAI) prevents Man in The Middle (MITM) attacks and theft on authorized user information.

Context

Configuring DAI on an access device can prevent MITM attacks and theft on authorized users' information. After DAI is configured, the device compares the source IP address, source MAC address, VLAN ID, and interface number in the received ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view, the device checks the ARP packets received on all interfaces belonging to the VLAN against binding entries.

This function is available only for DHCP snooping scenarios. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user.

VLAN Config

After DAI is enabled in the VLAN view, the switch checks the ARP packets received by the interfaces in this VLAN and carrying the same VLAN ID against the binding table.

Context

Configuring DAI on an access device can prevent MITM attacks and theft on authorized users' information. After DAI is configured, the device compares the source IP address, source MAC address, VLAN ID, and interface number in the received ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet.

When DAI is enabled in the VLAN view, the device checks the ARP packets received on all interfaces belonging to the VLAN against binding entries.

This function is available only for DHCP snooping scenarios.

Procedure

  • Configure VLAN-based DAI.
    1. Choose Security > DAI > VLAN Config in the navigation tree to open the VLAN Config page, as shown in Figure 2-219.

      Figure 2-219  VLAN Config

    2. Select a VLAN and click Configure to open the VLAN DAI Config page, as shown in Figure 2-220.

      Figure 2-220  VLAN DAI Config

    3. Select Enabled for DAI status and click OK.
  • Query VLAN-based DAI.
    1. Choose Security > DAI > VLAN Config in the navigation tree to open the VLAN Config page.
    2. In the Query area, enter the VLAN ID and click Query.

Interface Config

After DAI is enabled in the interface view, the switch checks the ARP packets received by this interface against the binding table.

Context

Configuring DAI on an access device can prevent MITM attacks and theft on authorized users' information. After DAI is configured, the device compares the source IP address, source MAC address, VLAN ID, and interface number in the received ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet.

When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries.

This function is available only for DHCP snooping scenarios.

Procedure

  • Configure interface-based DAI.
    1. Choose Security > DAI > Interface Config in the navigation tree to open the Interface Config page, as shown in Figure 2-221.

      Figure 2-221  Interface Config

    2. Select an interface and click Configure to open the Interface DAI Config page, as shown in Figure 2-222.

      Figure 2-222  Interface DAI Config

      Table 2-129 describes the parameters on the page.

      Table 2-129  Interface DAI Config

      Parameter

      Description

      Interface name

      Indicates the interface where the DAI function will be configured.

      Trust status

      Indicates the trust status on the interface.

      The interface directly or indirectly connected to the DHCP server trusted by the administrator is set as a trusted interface, and other interfaces are set as untrusted interfaces.

      DAI status

      Configures the DAI function.

      Rate limiting

      Enables ARP packet rate limiting.

      Rate limit

      Sets the upper rate limit of ARP packets, in pps. This parameter can be set only after the rate limiting function is enabled for ARP packets.

    3. Set the required parameters.
    4. Click OK to complete the configuration.
  • Query interface-based DAI.
    1. Choose Security > DAI > Interface Config in the navigation tree to open the Interface Config page.
    2. In the Query area, select an interface type and enter the interface number, and click Query.
Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000114003

Views: 51438

Downloads: 1063

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next