Dynamic ARP Inspection Juniper Configuration

Dynamic ARP Inspection Juniper Configuration, DAI Topology,

Dynamic ARP Inspection (DAI) is one of the security mechanisms used against ARP spoofing attacks. In this lesson, we will focus on Dynamic ARP Inspection Juniper configuration and we will learn how to configure Dynamic ARP Inspection on Juniper Routers. DAI is basically a security mechanism utilize DHCP Snooping database towards malicious ARP attacks. Let’s learn more on this mechanism.


By the way, this lesson is important for Juniper Certifications, JNCIS-ENT and JNCIE-ENT.


Why We use ARP in networking?

In Ethernet networks, ARP (Address Resolution Protocol) is used for MAC-IP matchings. After the first transmission of a packet, ip address and MAC address of the sender is recorded to an ARP Cache. After that, when ever a device need to send a packet, it checks this cache. If it finds an entry about the destination, it sends the packet to that destination. If it does not find any entry, then it sned the packet as broadcast.


ARP Attacks

ARP is vulnerable to some network attacks. One of them is ARP Spoofing Attack. What is an ARP spoofing attack? ARP spoofing attack is a Man-in-the-middle attack with which, attacker resides between two system and poisons their ARP Cache to direct the traffic for malicious aims. Here, attacker simply changes IP-MAC matchings in ARP Cache and tricks both end with new wrong entries. When ever the victim sends a packet, he/she thinks that, the packet is going to the exact destination. But, the packet is going to the attacker at this time.


Why We use Dynamic ARP Inspection in Networks?

With Dynamic ARP Inspection mechanism, we validate ARP packets in the network. By doing this, we prevent our network against and malicious ARP attacks like ARP spoofing. Here, ARP packet validation is done with the help of DHCP Snooping Database. It checks DHCP Snooping database if are there any entry about this ARP packet. If it finds any record, it accept the packet. If it des not find eny entry about it, DAI drops the packet.





Dynamic ARP Inspection Juniper Configuration, DAI Topology,

Dynamic ARP Inspection Protection

How to configure Dynamic ARP Inspection on Juniper routers?

In Juniper devices, we can configure DAI easily with a few steps. Here, we will focus on these steps one by one. Before this configuration, let’s explain some key points about Juniper DAI configurations.


On Juniper EX Series switches and QFX Series, Dynamic ARP Inspection is used on Access Ports. Because on access ports, all the ports are untrusted by default. Here, trunk portsa re bypassed, because, trunk portsa re trusted by default.


On Juniper devices, we configure DAI for each VLAN, not for each interface. By default, DAI is disabled on VLANs. If you would like to use this security mechanism, you should configure DAI for each VLAN.


As a keynote, in Juniper devices, if you set an interface as DHCP trusted, it is also trusted for ARP packets. You do not need to configure it as trusted again.


Enabling DAI on a VLAN

DAI Configuration On Enhanced Layer 2 Software (ELS)

To enable DAI on a VLAN in a Juniper device, we shoould go under vlan configuration. Certainly, before this configuration, we should do our VLAN configuration. Here, under “vlans vlan-name forwarding-options”, we will g oto “dhcp-security” and under it we will use “set arp-inspection” command.


[edit vlans vlan-name forwarding-options dhcp-security]

ipcisco@switch# set arp-inspection


vlans vlan-name forwarding-options{

dhcp-security {



DAI Configuration On (Non-ELS)

On Juniper devices that not support enhanced layer 2 software (ELS), we use the belwo commands to configure DAI.


[edit ethernet-switching-options secure-access-port]

ipcisco@switch# set vlan vlan-name arp-inspection


[edit ethernet-switching-options secure-access-port]

ipcisco@switch# set vlan all arp-inspection


Dynamic ARP Inspection Verification on Juniper

To verify Dynamic ARP Inspection on Juniper devices, we use “shows arp inspection statistics” command. With this Juniper command, we can see the received packets, ARP Inspection pass and ARP Inspection failed packets easily. Below, you can find an example of this command’s output.


ipcisco@switch> show arp inspection statistics

ARP inspection statistics:

Interface        Packets received  ARP inspection pass   ARP inspection failed

—————  —————   ——————– ———————

ge-0/0/1.0          25                   20                     5

ge-0/0/2.0          9                      9                     0

ge-0/0/3.0          13                   0                     13


As you see at the above screenshot, packets received by the interfaces. Some of them are passed and some of them failed according to the Juniper DAI configuration.


Back to: JNCIE > Security

Leave a Reply

Your email address will not be published. Required fields are marked *