Netgear GS724Tv4 Software Administration Manual - Page 75

GS716Tv3, GS724Tv4, and GS748Tv5 Smart Switches Dynamic ARP Inspection Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station's IP address to its own MAC address. When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database. You can optionally configure additional ARP packet validation. When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical ports or LAGs) that are members of that VLAN. Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is independent of the trust configuration for DHCP snooping. Configure DAI on a VLAN and an Interface In this example, DAI is enabled on VLAN 100. Ports 1-10 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of ARP packets with a rate limit of 10 packets per second. LAG 1, which is also a member of VLAN 100 and contains ports 11-14, is the trunk port that connects the switch to the data center, so it is configured as a trusted port. This example assumes VLAN 100 and LAG 1 have already been configured.  To configure DAI on a VLAN and an Interface: 1. Enable DAI on VLAN 100. a. Select System > Services > Dynamic ARP Inspection > DAI VLAN Configuration. b. Next to VLAN 100, select the check box c. From the Dynamic ARP Inspection list, select Enable. d. Click the Apply button. Configure System Information 75