STIGhubSTIGhub
STIGhub— A free STIG search and compliance tool·STIGs updated 1 hour ago
Powered by Pylon·Privacy·Terms·Feedback·© 2026 Beacon Cloud Solutions, Inc.
← Back to Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide

V-253961

CAT II (Medium)

The Juniper EX switch must be configured to enable Dynamic Address Resolution Protocol (ARP) Inspection (DAI) on all user VLANs with active access interfaces.

Rule ID

SV-253961r1212017_rule

STIG

Juniper EX Series Switches Layer 2 Switch Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-002385

Discussion

DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface (e.g., access interface with a valid binding or a trunked interface), the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Check Content

Review the switch configuration to verify that DAI is enabled on all user VLANs with active access interfaces. Configuring DAI automatically enables DHCP snooping.

Devices such as printers, servers, and VoIP phones are under enterprise control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in nonuser-facing VLANs.

Verify DAI on user-facing or untrusted VLANs with active access interfaces.

user@host> show configuration vlans
<untrusted VLAN name> {
    vlan-id <VLAN ID>;
    forwarding-options {
        dhcp-security {
            arp-inspection;
        }
    }
}
Note: DAI depends on DHCP snooping or static MAC address bindings.

This check is not applicable to switches configured with user-facing or untrusted VLANs merely for inclusion in trunks (e.g., core or distribution switch without access interfaces assigned to user-facing or untrusted VLANs).

If DAI is not enabled on all user VLANs with active access interfaces, this is a finding.

Fix Text

Configure the switch to have DAI enabled on all user VLANs with active access interfaces.

1. Enter configuration mode.
2. Configure user-facing or untrusted VLANs with active access interfaces with DAI.
3. Commit the configuration.

user@host> configure
Entering configuration mode

user@host# set vlans <untrusted VLAN name> vlan-id <untrusted VLAN ID>

user@host# set vlans <untrusted VLAN name> forwarding-options dhcp-security arp-inspection

user@host# commit
commit complete