一.概述

1.DAI作用

①.使用DAI，管理员可以指定交换机的端口为信任和非信任端口：

信任端口可以转发任何ARP信息
非信任端口的ARP消息要进行ARP检测验证

②.交换机执行如下的ARP验证：

静态ARP监控：为一个静态的IP地址配置一个静态ARP访问控制列表
动态ARP监控：为DHCP指派的IP地址引用DHCP snooping绑定数据库

2.DAI配置步骤

①确认DHCP snooping技术已经被激活，并且已经完全填充数据库。

—没有DHCP服务器，也需要配置DHCP snooping

②指定某端口为信任端口，也就是接受这个接口上的ARP欺骗威胁。

—交换机级联的trunk接口必须配置为信任接口

③默认其他接口为非信任端口

④在每一个端口上设置ARP限速（可选）

—防止进行arp扫描

⑤配置一个ARP访问控制列表，静态IP映射到MAC.(可选）

⑥调整error-disable行为。

⑦在特定VLAN中启用ARP Inspect功能。

3.测试拓扑

二.基本配置

1.DHCPserver

hostname DHCPserver
interface Ethernet0/0
ip address 192.168.10.8 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
ip dhcp relay information trust-all
ip dhcp excluded-address 192.168.10.8
ip dhcp excluded-address 192.168.10.254
ip dhcp excluded-address 192.168.20.254
ip dhcp excluded-address 192.168.10.253
ip dhcp excluded-address 192.168.20.253
ip dhcp pool vlan10Pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
ip dhcp pool vlan20Pool
network 192.168.20.0 255.255.255.0
default-router 192.168.20.254

2.host SW1

hostname SW1
VLAN 10
VLAN 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast
interface range Ethernet0/1-2
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface Ethernet0/3
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface Vlan10
ip address 192.168.10.253 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.253 255.255.255.0
ip helper-address 192.168.10.8
no shutdown
!配置DHCP snooping
ip dhcp snooping
clock timezone GMT +8
do clock set 21:05:00 18 Apr 2020
ip dhcp snooping database unix:/dhcp.db
int rang e0/0, e0/2
ip dhcp snooping trust
int rang e0/1, e0/3
ip dhcp snooping limit rate 3
exit
ip dhcp snooping vlan 10,20

3.host SW2

hostname SW2
VLAN 10
VLAN 20
interface Ethernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
interface Ethernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
interface Ethernet0/2
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface Vlan10
ip address 192.168.10.254 255.255.255.0
no shutdown
interface Vlan20
ip address 192.168.20.254 255.255.255.0
ip helper-address 192.168.10.8
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.253
!配置DHCP snooping
ip dhcp snooping
clock timezone GMT +8
do clock set 21:05:00 18 Apr 2020
ip dhcp snooping database unix:/dhcp.db
int e0/0
ip dhcp snooping trust
int rang e0/1-2
ip dhcp snooping limit rate 3
exit
ip dhcp snooping vlan 10,20

4.验证

①Client1能正常获取IP地址

Client1#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.10.1 YES DHCP up up
Client1#

②Client2能正常获取IP地址

Client2#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.20.1 YES DHCP up up
Client2#

③Client3能正常获取IP地址

Client3#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.10.2 YES DHCP up up
Client3#

④Client4能正常获取IP地址

Client4#show ip int br | in Ethernet0/0
Ethernet0/0 192.168.20.2 YES DHCP up up
Client4#

三.配置交换机的ARP监控

1.配置启用DAI交换机之间的互联链路接口为信任端口

SW1和SW2
int e0/0
ip arp inspection trust

2.对非信任端口ARP进行限速

SW1和SW2
int range E0/1-3
ip arp inspection limit rate 10

3.为非信任端口上的所有静态主机配置ARP监控豁免的ACL

SW1
arp access-list xll-ARP-Filter
permit ip host 192.168.10.8 mac host aabb.cc00.4000
ip arp inspection filter xll-ARP-Filter vlan 10
备注：如果ip arp inspection filter xll-ARP-Filter vlan 10 static，则只检测静态绑定的，不检测由DHCP snooping动态生成的库。

4.设置违规端口error-disable自动恢复时间为180秒

SW1和SW2
errdisable recovery cause arp-inspection
errdisable recovery interval 180

5.在特定vlan启用ARP监控

SW1和SW2
ip arp inspection vlan 10,20

四.验证

1.Client1~4都能ping通DHCPserver

Client1#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/5 ms
Client1#
Client2#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Client2#
Client3#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Client3#
Client4#ping 192.168.10.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Client4#
DHCPserver(config)#int e0/0
DHCPserver(config-if)#mac
DHCPserver(config-if)#mac?
mac-address mace

2.如果手工修改DHCPserver的E0/0接口mac地址，SW1会报错

DHCPserver(config-if)#mac-a
DHCPserver(config-if)#mac-address 1.1.1
DHCPserver(config-if)#
SW1(config)#
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc80.2000/192.168.10.254/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc80.1000/192.168.10.253/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc00.7000/192.168.10.3/22:25:04 GMT Sat Apr 18 2020])
SW1(config)#do sho
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/aabb.cc00.5000/192.168.10.4/22:25:04 GMT Sat Apr 18 2020])
*Apr 18 14:25:05.424: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Et0/2, vlan 10.([0001.0001.0001/192.168.10.8/ffff.ffff.ffff/192.168.10.8/22:25:04 GMT Sat Apr 18 2020])