2 ip verify binding, 20 dynamic arp inspection (dai) command, Dynamic arp inspection (dai) command – Fortinet 548B User Manual
Page 353
- 353 -
7.19.2.2 ip verify binding
This command configures static IP source guard (IPSG) entries.
Syntax
ip verify binding
no ip verify binding
no - This command removes the IPSG static entry from the IPSG database.
Default Setting
None
Command Mode
Global Config
7.20
Dynamic ARP Inspection (DAI) Command
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI
prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other
stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP
requests or responses mapping another station's IP address to its own MAC address.
To prevent ARP poisoning attacks, a switch must ensure that only valid ARP requests and responses
are relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these
intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache
is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.
DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored
in a trusted database. This database is built at runtime by DHCP snooping, provided this feature is
enabled on VLANs and on the switch. DAI relies on DHCP snooping. DHCP snooping listens to DHCP
message exchanges and builds a binding database of valid {MAC address, IP address, VLAN, and
interface} tuples. In addition, in order to handle hosts that use statically configured IP addresses, DAI
can also validate ARP packets against user-configured ARP ACLs.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP
address do not match an entry in the DHCP snooping bindings database. You can optionally configure
additional ARP packet validation.