The Dynamic ARP Inspection (DAI) security feature validates Address Resolution Protocol (ARP) packets in a subnet, and discards packets with invalid IP address and MAC address bindings.
Note
DAI is supported only in non-DHCP environments.On VLANs, DAI can examine incoming ARP packets. DAI discards packets with invalid IP address and MAC address bindings, guarding against ARP poisoning. Only valid ARP requests and responses are relayed. You specify valid, static IP address and MAC address bindings in the permit statements of ARP ACLs.
You decide which ports to define as trusted or untrusted. ARP packets on trusted ports bypass all DAI validations and are forwarded as required. DAI examines ARP packets only on untrusted ports.
VLAN setting |
Port setting |
Action |
---|---|---|
DAI disabled |
Trusted or untrusted |
All incoming ARP packets are hardware-forwarded. |
DAI enabled |
Trusted |
All incoming ARP packets are trapped to the CPU and then software-forwarded. |
DAI enabled |
Untrusted |
All incoming ARP packets are trapped to the CPU. Following DAI, the packets are software-forwarded or dropped. |