Function introduction: DHCP Snooping +DAI anti-ARP spoofing scheme: When users obtain IP addresses dynamically, the correct IP and MAC information obtained by DHCP is recorded in the DHCP Snooping software table of the switch through DHCP Snooping on the access layer switch. Then the DAI function (CPU only) is used to verify all ARP packets entering the switch. The Sender IP and Sender MAC fields in the ARP packets are compared with IP+MAC records in the DHCP Snooping table. If they are consistent, the packets are discarded. In this case, if a legitimate user attempts to implement ARP spoofing after obtaining an IP address, or an unauthorized user configures a static IP address, their ARP verification fails and the user cannot use the network. 1.Networking requirements User gateway On the core switch, a DHCP Server is created on the core switch, and the PCS connected to the access switch uses dynamic DHCP to obtain IP addresses. To prevent ARP spoofing between connected users and spoofing the gateway, DHCP Snooping +DAI is used to resolve ARP spoofing. 3. Configuration Points
Core switch configuration: 1. Enable the DHCP service on the core device Ruijie>enable Ruijie#configure terminal Ruijie(config)#service dhcp 2. Create the IP address of the core device, thatis, the gateway address of the user Ruijie(config)#interface vlan 1 Ruijie(config-if-VLAN 1)#ip address 192.168.1.254255.255.255.0 Ruijie(config-if-VLAN 1)#exit 3. Create a DHCP address pool for the core device Ruijie(config)#ip dhcp pool vlan1 Ruijie(dhcp-config)#network 192.168.1.0255.255.255.0 Ruijie(dhcp-config)#dns-server 8.8.8.8------>Set the DNS address to be assigned to the client Ruijie(dhpw-config)#default-router 192.168.1.254------> Set the gateway address assigned to the user, which must be consistentwith the IP address set on the core device, which is 192.168.1.254 Ruijie(dhcp-config)#end Ruijie#wr Accesss witch configuration: 1. Enable dhcp snooping on the access switch Ruijie>enable Ruijie#configure terminal Ruijie(config)#ip DHCP snooping ------> Enable DHCP snooping 2. Set the interface connecting to the DHCP server to a trusted interface Ruijie(config)#interface gigabitEthernet 0/49 Ruijie(config-GigabitEthernet 0/49)#ip DHCP snooping trust ------> All interfaces on the switch with DHCP snooping enabled default to the untrust interface. The switch forwards only the DHCP response packets (offer and ACK) received from the trust port. 3. Enable DAI function globally Ruijie(config)#Ruijie(config)#ip arp inspection vlan1 ------> Enable DAI detection on vlan1. If DAI is enabled on both cascading devices, The lower connector of the upper connected device should also be matched into a trust port) 4. The upper connection port is set as a trust port without DAI detection Ruijie(config)#int gigabitEthernet 0/25 Ruijie(config-if-GigabitEthernet 0/25)#ip arpinspection trust ------> Set the trust function. The packets sent to the CPUare not detected, but are still sent to the CPU 5. Enable the IP Source Guard function on the interface connecting to the user Ruijie(config)#interface range gigabitEthernet0/0/2 ------> Enter the configuration mode of the one-port and two-port interfaces at the same time Ruijie(config-if-range)#ip verify source port-security ------> Enable the source IP+MAC packet detection function. Write the Snooping table generated by DHCP Snooping to the address binding database. Correctly configure ip verfiy soure port-security and do not use ip verify source (binding only IP addresses). Some products have limitations. An exception may occur when only IP addresses are bound. 6. Save the configuration Ruijie(config-if-GigabitEthernet 0/25)#end Ruijie#write ------> Confirm that theconfiguration is correct and save the configuration DAI required optimization function After DAI is enabled, all ARP packets received by the interface are sent to the CPU for processing. In this case, optimize the following functions: 1. Tailor vlans on the upper interface of the switch or the core switch (trunk tailoring. For example, only vlan1 and vlan9 are allowed to pass through, and other vlans are not allowed to pass through Ruijie(config-if-GigabitEthernet 0/25)#switchport trunk allowed vlan remove 2-8,10-4094), cut unnecessary vlans, prevent ARP packets from flooding all switches, increasing the burden on switches. 2. The volume of packets sent by the gateway to users from the upper interface may be large, exceeding the default rate limitof the NFPP. As a result, some users may lose ARP. The overall default NFPP function remains enabled, which provides some protection for the CPU. Ruijie(config)#int g0/25 Ruijie(config-if-GigabitEthernet 0/25)#no nfpp arp-guard enable ------> disable the ARP-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcp-guard enable ------> disable the dhcp-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcpv6-guard enable ------> disable the dhcpv6-guard function on theinterface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface Ruijie(config-if-GigabitEthernet 0/25)#no nfpp icmp-guard enable ------> disable the icmp-guard function on the interface. After this function is disabled, NFPP detection is not applied to incoming data packets on the interface Ruijie(config-if-GigabitEthernet 0/25)#no nfpp ip-guard enable ------> disable the ip-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface Ruijie(config-if-GigabitEthernet 0/25)#no nfpp nd-guard enable ------> disable the nd-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface Ruijie(config-if-GigabitEthernet 0/25)#exit Ruijie(config)# 3. In addition, the CPP value of the access switchis relatively small by default, only 180PPS. If DAI is enabled, all ARP packetsare sent to the CPU for processing and the number of connected users easily exceeds the threshold set by the CPP. Therefore, adjustments need to be made,and it is usually recommended to adjust to about 500PPS, and no adjustment is required for non-DAI schemes. CPP adjustment method: Ruijie(config)#cpu-protect type arp pps 500 Note: If the CPP value is too large, the CPU may be too high. You can reduce the rate limit appropriately. Therefore, in the anti-ARP spoofing model deployed on the network, choose other anti-ARP spoofing schemes unless necessary. 5.Verification function 1. Check whether the DAI function is enabled 2.View the DHCP Snooping table |
This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.
More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.
©2000-2023 Ruijie Networks Co,Ltd