Dynamic ARP Inspection
Optical LAN OLTs support Layer 2-based support for Dynamic ARP (Address Resolution Protocol) that allows the device to prevent any DHCP snooping or unauthorized attacks occurring on subscriber ports. The feature is designed with the purpose of learning the MAC to IP address binding from the DHCP Acknowledgment messages populated in the Forwarding DB table. The Forwarding DB table contains MAC addresses that should be equivalent to the IP addresses validating port packets arriving upstream.
When DHCP snooping is enabled for VLANs, the Dynamic ARP Inspection check box is provided in the VLAN Property table. VLANs that are chosen for ARP inspection will send the same MAC to IP bindings as designated subscriber ports.
Use the following procedure to enable 802.1x port-based control for Ethernet Line Port(s), and to, alternately, specify RADIUS server(s):
- Logon to EMS and in the Network common tree, right-click on the target OLT and select Protocol on the dropdown list, then select Dynamic ARP Inspection on the dropdown list.
- The Dynamic ARP Inspection dialog is displayed, with the Configuration tab attributes.
- In the Dynamic ARP Inspection Property dialog. select from each drop-down to enable DAI configuration on this OLT.
- Set up the following attributes on the Dynamic ARP Inspection Property dialog:
Attribute
Description
Notes
Configuration
Admin State
Allows or disallows Dynamic ARP inspection service on the OLT. Values are Enable or Disable.
Default is Disabled.
Logging Admin State
Allows or disallows the logging of DAI events. Values are Enable or Disable
Default is Disabled.
Logging Type
Defines whether to log permitted ARPs, Denied ARPs or both. Values are Deny, Permit or Both
Default is Deny.
Enable Designated MAC Check
Ensures that the destination MAC of the Ethernet header agrees with the target MAC in the ARP body in ARP responses. Select the check box to enable MAC check. Values are Enable or Disable
Default is Enable
Enable ARP IP Check
Ensures that the IP address is a valid IP address. It will exclude all multicast addresses, or IPs that are all zeros. The IP will be checked in ARP requests and responses. Select the check box to enable IP check. Values are Enable or Disable.
Default is Enable
Enable Source MAC Check
Validates that the ARP header and body have the same source MAC address for both ARP requests and responses. Values are Enable or Disable.
Default is Enable
Enable IP Source Protection
Ensures that IP source protection is enforced by the OLT and the MAC to Source IP bindings are learned form the DHCP requests or from the ARPs, when a static IP is used. Values are Enable or Disable.
Default is Enable
- When finished, click the Apply button, then click the Close button.
- A confirmation message is displayed. Click the OK button to close.
Statistics
Use the following procedure to view Statistics in the Dynamic ARP Property dialog:
- Logon to EMS and in the Network common tree, right-click on the target OLT and select Protocol on the dropdown list, then select Dynamic ARP Inspection on the dropdown list.
- The Dynamic ARP Inspection dialog is displayed, with the Configuration tab attributes.
- In the VLAN ID field, enter the specific VLAN identification from where the ARP message was obtained.
- Click the Locate button.
- The Dynamic ARP Inspection Property Statistics screen displays the current statistical counters of ARPs forwarded or dropped per the identified VLAN.
Note: The reasons for dropped ARPs are listed in the Syslog server. - Click the Refresh button to update the ARP counters shown in the dialog.
- Click the Close button to exit the Dynamic ARP Inspection Property dialog.
On this page