The Address Resolution Protocol (ARP) is fundamental to network communication within a Layer 2 broadcast domain, responsible for mapping IP addresses to MAC addresses. However, ARP is inherently vulnerable because it allows any host to send a "gratuitous reply" or forged ARP packet, a technique known as ARP poisoning or ARP spoofing. This attack is a classic form of a man-in-the-middle attack, where a malicious host intercepts traffic intended for other devices by poisoning the ARP caches on hosts and switches.
Dynamic ARP Inspection (DAI) is a critical security feature designed to validate ARP packets in a network, protecting against these spoofing attacks.
Table of Contents
- Part 1: Overview of Dynamic ARP Inspection
- Part 2: DHCP Snooping and Prerequisites
- Part 3: Interface Trust States
- Part 4: Configuration Guide
- Part 5: Troubleshooting and Best Practices
- Part 6: Frequently Asked Questions (FAQ)
Part 1: Overview of Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that validates incoming ARP packets by checking their IP-to-MAC address bindings. DAI intercepts, logs, and discards ARP packets that contain invalid IP-to-MAC address bindings, preventing ARP spoofing attacks and ensuring secure Layer 2 communications.
DAI relies on the database generated by DHCP Snooping or user-configured ARP ACLs for validation.
Part 2: DHCP Snooping and Prerequisites
DAI depends on DHCP Snooping to build a trusted database of IP-to-MAC bindings. This database is the source of truth for ARP packet validation.
- DHCP Snooping monitors DHCP traffic and records MAC Address, IP Address, VLAN, Interface, and Lease time.
- For static IP devices, ARP Access Control Lists (ACLs) must be configured, which take precedence over DHCP bindings.
Before enabling DAI, DHCP Snooping must be activated globally and on the VLANs where DAI will operate.
Part 3: Interface Trust States
DAI requires understanding Trusted and Untrusted interface states.
Table: DAI Interface Trust State Overview
| State | Command | Function & Usage | Default DAI Action |
| Untrusted | no ip arp inspection trust | Ports connected to end-hosts (clients, servers, attackers). Packets are validated. | Intercepted and checked against DHCP/ARP ACL database |
| Trusted | ip arp inspection trust | Ports connected to infrastructure devices like DHCP servers, routers, other switches. Packets bypass DAI. | Forwarded without validation |
Part 4: Configuration Guide
Step 1: Enable DHCP Snooping
Example CLI commands to activate DHCP Snooping:
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 10,20
SW1(config)# interface FastEthernet 0/3
SW1(config-if)# ip dhcp snooping trustStep 2: Enable DAI and Configure Trust States
Example CLI commands for enabling DAI:
SW1(config)# ip arp inspection vlan 10,20
SW1(config)# interface GigabitEthernet1/0/24
SW1(config-if)# ip arp inspection trustInterfaces connected to end-hosts should remain untrusted.
Step 3: Handling Static IP Hosts
For devices with static IPs, create ARP ACLs:
Switch(config)# arp access-list STATIC_HOSTS
Switch(config-arp-nacl)# permit ip host 192.168.10.50 mac host aaaa.bbbb.cccc
Switch(config)# ip arp inspection filter STATIC_HOSTS vlan 10Step 4: Optional Validation Checks
src-mac: Check source MAC address against ARP bodydst-mac: Check destination MAC in ARP responsesip: Check invalid/unexpected IP addresses
Step 5: Verification Commands
SW1# show ip dhcp snooping binding
SW1# show ip arp inspection vlan 10
SW1# show ip arp inspection interfacesFor Cisco Catalyst 9300 switches, these commands ensure DAI is functioning correctly. Learn more about Catalyst 9300 switches and upgrading from 2960X/3850.
Part 5: Troubleshooting and Best Practices
- Check for denied ARP packets:
show ip arp inspection statistics - Verify DHCP Snooping database is populated.
- Adjust rate limiting if ports enter error-disabled:
ip arp inspection limit rate 50 - Integrate IP Source Guard (IPSG) to restrict traffic from untrusted ports:
ip verify source
Part 6: Frequently Asked Questions (FAQ)
What is a dynamic ARP inspection?
Dynamic ARP Inspection (DAI) is a security feature on a switch that validates ARP packets by comparing the IP-to-MAC address information against a trusted database, typically the DHCP snooping binding database or user-configured ARP ACLs. It helps mitigate man-in-the-middle attacks from ARP poisoning.
What is the difference between DHCP snooping and dynamic ARP inspection?
DHCP snooping inspects DHCP traffic to build the trusted database of valid IP-to-MAC bindings. DAI uses this database to inspect ARP packets and drops invalid ones. DAI depends on DHCP snooping to function properly.
What is dynamic in ARP?
"Dynamic" refers to ARP's ability to automatically resolve IP addresses to MAC addresses. In DAI, it emphasizes validation based on dynamically created IP-to-MAC bindings stored in the DHCP snooping database.
What is Cisco ARP inspection?
Cisco ARP inspection is the implementation of DAI on Cisco devices such as Catalyst 9300 switches. It secures Layer 2 networks by validating ARP traffic and preventing ARP poisoning attacks.
Expertise Builds Trust
20+ Years • 200+ Countries • 21500+ Customers/Projects
CCIE · JNCIE · NSE7 · ACDX · HPE Master ASE · Dell Server/AI Expert
