Open Ethernet Networking (OpEN) API Guide and Reference Manual  3.6.0.3
Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection OpEN API

This document provides a brief description of the Dynamic ARP Inspection (DAI) OpEN API. Dynamic ARP Inspection is a security feature. The intent of DAI is to prevent man-in-the-middle attacks that can occur when a malicious station intercepts traffic by poisoning the ARP caches of neighboring stations.

This API provides the following services:

Example C Applications

Initialization

In the main function, the sample application initializes the OpEN API RPC service by calling openapiClientRegister() and waits for the RPC service in switchdrvr to start. A Client Handle is returned by openapiClientRegister() which is used while invoking the OpEN APIs. The application then exercises the associated OpEN APIs and logs informational and/or error messages on the console. The example application runs to its completion and exits.

aclarptable_example

aclarptable_example.c is a sample application that emulates the "show arp access-list" command. It uses the DAI OpEN APIs to retrieve and display ACL ARP table entries. It is started from the command line and has the following usage syntax:

Usage: arptable_example [-a aclname]

dai_example

dai_example.c is a sample application that emulates part of the "show ip arp inspection" command. It uses the DAI OpEN APIs to set and get the global validation modes. It is started from the command line and has the following usage syntax:

Usage: dai_example <test#> <arg1> <arg2> ...

DAI CLI/API Cross Reference

The mapping between the OpEN APIs and CLI commands is shown below.

CLI Command | OpEN API Functions
--------------------------------------—

(Config)# show arp access-list <aclname> | openapiArpAclGet(), openapiArpAclRuleNextGet(), openapiArpAclNextGet()
(Config)# show ip arp inspection | openapiDaiSourceMacValidateModeGet(), openapiDaiDestMacValidateModeGet(), openapiDaiIpAddrValidateModeGet()