Netgear S3300-28X (GS728TX) - ProSAFE S3300 Smart Switch Series 관리자 가이드

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP 
packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station 
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting 
neighbors. The malicious attacker sends ARP requests or responses mapping another 
station’s IP address to its own MAC address.

When DAI is enabled, the switch drops ARP packets whose sender MAC address and 
sender IP address do not match an entry in the DHCP snooping bindings database. You can 
optionally configure additional ARP packet validation.

When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical ports or LAGs) 
that are members of that VLAN. Individual interfaces are configured as trusted or untrusted. 
The trust configuration for DAI is independent of the trust configuration for DHCP snooping. 

In this example, DAI is enabled on VLAN 100. Ports 1-10 connect end users to the network 
and are members of VLAN 100. These ports are configured to limit the maximum number of 

ARP packets with a rate limit of 10 packets per second. LAG 1, which is also a member of 

VLAN 100 and contains ports 11-14, is the trunk port that connects the switch to the data 
center, so it is configured as a trusted port.

This example assumes VLAN 100 and LAG 1 have already been configured.



Enable DAI on VLAN 100.

a. Select System









b.  Next to VLAN 100, select the check box

c.  From the Dynamic ARP Inspection list, select Enable.