Dynamic ARP Inspection (DAI)

The Dynamic ARP Inspection (DAI) security feature validates Address Resolution Protocol (ARP) packets in a subnet, and discards packets with invalid IP address and MAC address bindings.

Note

Note

DAI is supported only in non-DHCP environments.

On VLANs, DAI can examine incoming ARP packets. DAI discards packets with invalid IP address and MAC address bindings, guarding against ARP poisoning. Only valid ARP requests and responses are relayed. You specify valid, static IP address and MAC address bindings in the permit statements of ARP ACLs.

You decide which ports to define as trusted or untrusted. ARP packets on trusted ports bypass all DAI validations and are forwarded as required. DAI examines ARP packets only on untrusted ports.

DAI monitors untrusted ports as follows.
Table 1. DAI on trusted and untrusted ports

VLAN setting

Port setting

Action

DAI disabled

Trusted or untrusted

All incoming ARP packets are hardware-forwarded.

DAI enabled

Trusted

All incoming ARP packets are trapped to the CPU and then software-forwarded.

DAI enabled

Untrusted

All incoming ARP packets are trapped to the CPU. Following DAI, the packets are software-forwarded or dropped.