Dynamic ARP Inspection: DAI in A DHCP Environment
Dynamic ARP Inspection: DAI in A DHCP Environment
Dynamic ARP Inspection: DAI in A DHCP Environment
Address Resolution Protocol (ARP) provides IP-to-MAC resolution, ARP operates at Layer 2 (the data-link
layer) of the OSI model. ARP provides the translation mapping the IP address to the MAC address of the
destination host using a lookup table (also known as the ARP cache).
Dynamic ARP inspection is a security feature that validates ARP packets in a network. Dynamic ARP
inspection determines the validity of packets by performing an IP-to-MAC address binding inspection
stored in a trusted database, (the DHCP snooping binding database) before forwarding the packet to the
appropriate destination.
inspection will drop all ARP packets with invalid IP-to-MAC address bindings that fail the inspection. The
DHCP snooping binding database is built when the DHCP snooping feature is enabled on the VLANs and
on the switch.
The dynamic ARP Inspection (DAI) feature safeguards the network from many of the commonly known
man-in-the-middle (MITM) type attacks. Dynamic ARP Inspection ensures that only valid ARP requests
and responses are forwarded.
Because the switch CPU performs the DAI, there is a potential for an ARP flooding denial-of-service
(DoS) attack resulting in performance degradation. To prevent this, ARP packets can be rate limited
using the ip arp inspection limit command from the interface configuration mode to limit the rate of
incoming ARP requests and responses. By default, 15 pps (packets per second) is allowed on untrusted
interfaces; however, there is no limit on trusted interfaces. The burst interval is 1 second.
When the rate of incoming ARP packets exceeds the configured thresholds, the port is placed in the
error-disabled state. The port will remain in this state until the user intervenes or the errdisable
recovery cause arp-inspection interval [seconds] command is enabled, so that ports can automatically
recover from this state after a specified timeout period.