Dynamic ARP Inspection and DHCP Snooping

Dynamic ARP Inspection (DAI) is a security feature that protects the network from ARP cache poisoning. DAI intercepts and discards ARP packets that have invalid IP-MAC address bindings

DAI protects the network from some man-in-the-middle attacks by ensuring that only valid ARP requests and responses are relayed. This functionality is achieved by configuring ARP access-list to the corresponding VLAN/BD.

When DHCP snooping is enabled, DAI can validate the IP-MAC bindings of the ARP packets against the DHCP snooping binding database.

When enabled on a DHCP snooping-enabled VLAN, DAI intercepts the ARP packets in the network and validates the IP-MAC binding against the DHCP snooping binding database. If a valid entry is found for that IP-MAC bind, then the ARP packet is processed. If no valid entry is found, the packet is discarded.

On a DAI-enabled VLAN, an ARP access list takes precedence over the DHCP snooping binding database. ARP packets are validated against the ARP access list. If the ARP packet is denied by the access list, the corresponding packet is dropped even if the snooping database contains a valid binding. An ARP access list denies all ARP packets implicitly unless there is a permit entry configured for that IP-MAC binding.