Guidelines for Implementing ACLs for DAI

When applied to untrusted ports, ARP access control lists (ACLs) permit only ARP packets with specified IP address and MAC address bindings. Such ACLs implement Dynamic ARP Inspection (DAI).

Follow these guidelines when implementing Address Resolution Protocol (ARP) ACLs for DAI.

• DAI is available on the following Layer 2 VLANs.
  • 802.1Q VLANs
  • VE interfaces under virtual routing and forwarding (VRF). Both default and non-default VRFs are supported.
• DAI is not supported for management interfaces.
• On a VLAN with DAI enabled, the following types of member ports are supported for DAI:
  • Physical interfaces (in switchport mode)
  • Port-channel interfaces (LAGs or MLAGs) (in switchport mode)