Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the-middle” attacks. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped. DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in the database built by DHCP snooping
What is the configuration required to implement this technique? (DHCP snooping and trusted ports already configured).
I think MikroTik has not yet designed DHCP snooping table, therefore DAI would be difficult to add into MikroTik switches. I think DHCP snooping of MikroTik just checks DHCP Offer messages from DHCP servers without DHCP snooping table created. Another reason is that adding DHCP snooping table into existing switch hardware would not be possible. If it is easy to add that, MikroTik would come up with the word “Coming Soon”.
I think this feature is very important if MikroTik desires MikroTik switches to be widely used in global markets due to a rising number of layer2 attacks that affects the business trustworthy. So far, MikroTik switches is now promising but when I found there is no DAI in comparison to Cisco switches, I feel not fully say it is promising to any small/medium/enterprise network.
Yes, Dynamic ARP Inspection (DAI), is another standard wide feature not supported by MikroTik switches
i am very sure MikroTik has this in the radar
I hope in close future we will see it
but
I think today the priority is towards Layer 3 Hardware Acceleration features which are too much more relevant to scalate MikroTik ISP infrastructure so, is a world of finite things, we cannot get everything at once
I agree. L3 HW Offloading is a must. Two years ago, L3 HW Offloading feature is only avaiable in CRS317. Now I can use in CRS328/326. I tested the throughput performance with L3 HW Offloading enabled. It works! It is promising to implement for core switch. I plan to test MLAG as well.