Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

What is Dynamic Arp Inspection (DAI) and how to configure it on EX switches



Article ID: KB10960 KB Last Updated: 23 Apr 2014Version: 7.0

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Dynamic ARP inspection (DAI) feature in EX switches prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. The information below describes the DAI feature and the CLI commands that enable this feature.

How do I configure DAI on the EX switch?


DAI feature in EX series switches examines ARP requests and responses on the LAN and validates ARP packets. The switch intercepts ARP packets from an access port and validates them against the DHCP snooping database. If no IP-MAC entry in the database corresponds to the information in the ARP packet, DAI drops the ARP packet and the local ARP cache is not updated with the information in that packet. DAI also drops ARP packets when the IP address in the packet is invalid. JUNOS for EX-series software uses DAI for ARP packets received on access ports, because these ports are, by default, untrusted . By default, Trunk ports are trusted , so ARP packets bypass DAI on them.

You can configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs. You can set an interface to be trusted for ARP packets by setting dhcp-trusted on that port.  For packets directed to the switch to which a network device is connected, ARP queries are broadcast on the VLAN.  The ARP responses to those queries are subjected to the DAI check.  For DAI, all ARP packets are trapped to the Routing Engine.  To prevent CPU overloading, ARP packets destined for the Routing Engine are rate-limited.  If the DHCP server goes down and the lease time for an IP-MAC entry for a previously valid ARP packet runs out, that packet is blocked

To set an interface as trusted for ARP packets:
[edit ethernet-switching-options]
user@switch# show
secure-access-port {
    interface ge-0/0/20.0 {

All ARP queries directed to the switch are broadcast out all ports assigned to the associated VLAN. ARP responses to those queries are subjected to the DAI check. ARP packets are sent to and reviewed by the Routing Engine. To prevent CPU overloading, ARP packets destined for the Routing Engine are rate-limited.

To configure DAI on a VLAN:
[edit ethernet-switching-options]
user@switch# show 
    vlan <vlan-name> {

For more information about DHCP Snooping database, refer to KB10961 - What is DHCP snooping database and when is it being used in EX-series Ethernet Switches.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search