How to configure DHCP snooping + DAI on S2915 switch?

Function introduction:

DHCP Snooping +DAI anti-ARP spoofing scheme: When users obtain IP addresses dynamically, the correct IP and MAC information obtained by DHCP is recorded in the DHCP Snooping software table of the switch through DHCP Snooping on the access layer switch. Then the DAI function (CPU only) is used to verify all ARP packets entering the switch. The Sender IP and Sender MAC fields in the ARP packets are compared with IP+MAC records in the DHCP Snooping table. If they are consistent, the packets are discarded. In this case, if a legitimate user attempts to implement ARP spoofing after obtaining an IP address, or an unauthorized user configures a static IP address, their ARP verification fails and the user cannot use the network.
1.Networking requirements

User gateway On the core switch, a DHCP Server is created on the core switch, and the PCS connected to the access switch uses dynamic DHCP to obtain IP addresses. To prevent ARP spoofing between connected users and spoofing the gateway, DHCP Snooping +DAI is used to resolve ARP spoofing.



3. Configuration Points

• Enable the DHCP Server function on the core switch (clients may also use dedicated DHCP servers, and the core switch only needs to enable DHCP Relay);
• Enable DHCP snooping globally on the access switch and enable the DHCP Snooping trustinterface on the core port connected to the access switch;
• Enable the DAI detection function globally, and enable the DAI Trust function at the upper interface;
• Enable the IP Source Guard function on the interface connecting to the user;
• Adjust the CPP limit and NFPP function, TRUNK reduction optimization;
  

4.Configuration steps

Core switch configuration:

1. Enable the DHCP service on the core device

Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#service dhcp

2. Create the IP address of the core device, thatis, the gateway address of the user

Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.254255.255.255.0
Ruijie(config-if-VLAN 1)#exit

3. Create a DHCP address pool for the core device

Ruijie(config)#ip dhcp pool vlan1
Ruijie(dhcp-config)#network 192.168.1.0255.255.255.0
Ruijie(dhcp-config)#dns-server 8.8.8.8------>Set the DNS address to be assigned to the client
Ruijie(dhpw-config)#default-router 192.168.1.254------> Set the gateway address assigned to the user, which must be consistentwith the IP address set on the core device, which is 192.168.1.254
Ruijie(dhcp-config)#end
Ruijie#wr

Accesss witch configuration:

1. Enable dhcp snooping on the access switch

Ruijie>enable
Ruijie#configure terminal
Ruijie(config)#ip DHCP snooping ------> Enable DHCP snooping

2. Set the interface connecting to the DHCP server to a trusted interface

Ruijie(config)#interface gigabitEthernet 0/49
Ruijie(config-GigabitEthernet 0/49)#ip DHCP snooping trust ------> All interfaces on the switch with DHCP snooping   enabled default to the untrust interface. The switch forwards only the DHCP response packets (offer and ACK) received from the trust port.

3. Enable DAI function globally

Ruijie(config)#Ruijie(config)#ip arp inspection vlan1 ------> Enable DAI detection on vlan1. If DAI is enabled on both cascading devices, The lower connector of the upper connected device should also be matched into a trust port)

4. The upper connection port is set as a trust port without DAI detection

Ruijie(config)#int gigabitEthernet 0/25

Ruijie(config-if-GigabitEthernet 0/25)#ip arpinspection trust ------> Set the trust function. The packets sent to the CPUare not detected, but are still sent to the CPU

5. Enable the IP Source Guard function on the interface connecting to the user

Ruijie(config)#interface range gigabitEthernet0/0/2 ------> Enter the configuration mode of the one-port and two-port interfaces at the same time

Ruijie(config-if-range)#ip verify source port-security ------> Enable the source IP+MAC packet detection function. Write the Snooping table generated by DHCP Snooping to the address binding database. Correctly configure ip verfiy soure port-security and do not use ip verify source (binding only IP addresses). Some products have limitations. An exception may occur when only IP addresses are bound.

6. Save the configuration

Ruijie(config-if-GigabitEthernet 0/25)#end

Ruijie#write ------> Confirm that theconfiguration is correct and save the configuration

DAI required optimization function

After DAI is enabled, all ARP packets received by the interface are sent to the CPU for processing. In this case, optimize the following functions:
1. Tailor vlans on the upper interface of the switch or the core switch
(trunk tailoring. For example, only vlan1 and vlan9 are allowed to pass through, and other vlans are not allowed to pass through

Ruijie(config-if-GigabitEthernet 0/25)#switchport trunk allowed vlan remove 2-8,10-4094), cut unnecessary vlans, prevent ARP packets from flooding all switches, increasing the burden on switches.

2. The volume of packets sent by the gateway to users from the upper interface may be large, exceeding the default rate limitof the NFPP. As a result, some users may lose ARP.
The overall default NFPP function remains enabled, which provides some protection for the CPU.

Ruijie(config)#int g0/25
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp arp-guard enable
------> disable the ARP-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcp-guard enable
------> disable the dhcp-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp dhcpv6-guard enable
------> disable the dhcpv6-guard function on theinterface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp icmp-guard enable
------> disable the icmp-guard function on the interface. After this function is disabled, NFPP detection is not applied to incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp ip-guard  enable
------> disable the ip-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#no nfpp nd-guard  enable
------> disable the nd-guard function on the interface. After this function is disabled, NFPP detection is not performed on incoming data packets on the interface
Ruijie(config-if-GigabitEthernet 0/25)#exit
Ruijie(config)#

3. In addition, the CPP value of the access switchis relatively small by default, only 180PPS. If DAI is enabled, all ARP packetsare sent to the CPU for processing and the number of connected users easily exceeds the threshold set by the CPP. Therefore, adjustments need to be made,and it is usually recommended to adjust to about 500PPS, and no adjustment is required for non-DAI schemes.
CPP adjustment method:
Ruijie(config)#cpu-protect type arp pps 500
Note: If the CPP value is too large, the CPU may be too high. You can reduce the rate limit appropriately. Therefore, in the anti-ARP spoofing model deployed on the network, choose other anti-ARP spoofing schemes unless necessary.

5.Verification function
1. Check whether the DAI function is enabled

2.View the DHCP Snooping table