Dynamic ARP Inspection (DAI)
The Layer-2 security feature that kills ARP spoofing dead. Validates every ARP packet against the DHCP Snooping binding table — bogus replies get dropped, trust your gateway again.
- DAI inspects every ARP packet on a VLAN and drops any that don't match a legit DHCP Snooping binding.
- Defends against ARP spoofing / poisoning — the classic 'I am your gateway' MITM attack.
- Depends on DHCP Snooping. Static IPs need ARP ACLs to be permitted manually.
Mental model
ARP is hilariously trusting. Any host on the LAN can broadcast “I am 10.0.0.1, my MAC is X” and every other host updates its ARP cache. An attacker uses this to MITM the gateway:
- Attacker broadcasts a forged ARP: “I am 10.0.0.1 (the gateway), my MAC is bb:bb:bb:bb (the attacker’s MAC).”
- Every victim’s ARP table updates.
- Victims now send their outbound traffic to the attacker’s MAC.
- Attacker reads / modifies / forwards the traffic to the real gateway. Profit.
DAI fixes this by giving the switch a way to know which IP-to-MAC bindings are legitimate, and dropping ARPs that don’t match. The source of truth: the DHCP Snooping binding table.
How it depends on DHCP Snooping
DAI doesn’t have its own database. It uses DHCP Snooping’s binding table, which was already populated by observing DHCP exchanges:
| Client MAC | IP | Port | VLAN |
|---|---|---|---|
| aa:aa:aa:aa | 10.0.0.5 | Gi0/1 | 10 |
| bb:bb:bb:bb | 10.0.0.7 | Gi0/3 | 10 |
When an ARP packet arrives on a port:
- DAI extracts the sender IP and sender MAC from the ARP packet.
- Looks up the (IP, MAC, port) triple in the binding table.
- Match → forward normally. Mismatch → drop + log + (optional) shut the port.
This means an attacker on port Gi0/3 can claim their own IP (10.0.0.7), but can’t claim the gateway’s IP (10.0.0.1) because 10.0.0.1 isn’t in the binding table on Gi0/3.
Trusted vs untrusted ports
Like DHCP Snooping, DAI has the concept of trusted ports — typically uplinks where you can’t verify bindings:
- Trusted port — ARPs pass without checking. Use only for uplinks to other trusted switches.
- Untrusted port (default) — ARPs validated against the binding table.
Commands
! Step 1 — DHCP Snooping must be enabled first
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 10,20
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# ip dhcp snooping trust ! uplink
! Step 2 — Enable DAI on the same VLAN(s)
SW1(config)# ip arp inspection vlan 10,20
! Step 3 — Mark uplinks as DAI-trusted
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# ip arp inspection trust
! Step 4 (optional) — Rate-limit ARP on access ports
SW1(config)# interface range GigabitEthernet0/1 - 23
SW1(config-if-range)# ip arp inspection limit rate 15 ! 15 packets/sec
Static hosts (no DHCP)? Use ARP ACLs
DAI fails closed by default for hosts that didn’t use DHCP (servers, printers with static IPs). To explicitly whitelist them:
SW1(config)# arp access-list STATIC-HOSTS
SW1(config-arp-nacl)# permit ip host 10.0.0.50 mac host 0050.5600.aabb
SW1(config-arp-nacl)# permit ip host 10.0.0.51 mac host 0050.5600.aacc
SW1(config)# ip arp inspection filter STATIC-HOSTS vlan 10
Verification
SW1# show ip arp inspection
SW1# show ip arp inspection vlan 10
SW1# show ip arp inspection statistics
SW1# show ip arp inspection interfaces
show ip arp inspection statistics shows ARP packets forwarded, dropped, and the reason for drops — invaluable for confirming DAI is doing real work.
Layer-2 security stack — DAI is one piece
DAI is one of three Layer-2 defenses that work together:
| Feature | Defends against |
|---|---|
| Port Security | MAC flooding, unauthorized devices on a port |
| DHCP Snooping | Rogue DHCP servers handing out malicious gateways |
| DAI | ARP spoofing / poisoning attacks |
| IP Source Guard (IPSG) | IP spoofing — only allow traffic from legit (IP, MAC, port) bindings |
Deploy together for proper defense in depth. Skipping any one leaves a hole the others can’t cover.
Common mistakes
-
Enabling DAI without DHCP Snooping. DAI has no binding table → drops everything. Always configure DHCP Snooping first, validate it works, then add DAI.
-
Forgetting to trust uplinks. Without
ip arp inspection truston the uplink, ARPs from other trusted switches get inspected — which they shouldn’t be — and many get dropped. Always trust uplinks. -
Rate limit too aggressive. Default is 15 pps on access ports — plenty for normal use. If you set 2 pps, a normal client doing initial ARP discovery for printers, DNS, gateway, etc. gets err-disabled.
-
Static-IP hosts forgotten. A server with a static IP didn’t go through DHCP → no binding → DAI drops its ARPs → server unreachable. Use ARP ACLs to whitelist.
-
Trusting an access port. If you accidentally
ip arp inspection truston a user-facing port, that user can ARP-spoof anything. Trust only uplinks. -
Ignoring the err-disable risk. By default, exceeding the rate limit err-disables the port. In tight environments, this can be triggered by a misbehaving client. Pair with
errdisable recovery cause arp-inspection.
Lab to try tonight
- Set up one switch, two PCs in the same VLAN, with DHCP Snooping already working.
- Enable DAI:
ip arp inspection vlan <N>+ trust the uplink. - From PC-A, run any ARP-spoofing tool (e.g.
arpspooffrom dsniff suite) claiming to be the gateway. - From PC-B, run
arp -a(Windows) orip neigh(Linux). Without DAI, you’d see the attacker’s MAC for the gateway. With DAI, you don’t — the spoofed ARPs were dropped at the switch. - Check
show ip arp inspection statistics— DAI’s “drop” counter shows the blocked packets. - Bonus: capture on the inter-switch trunk with Wireshark. Confirm the spoofed ARPs never crossed.
Cheat strip
| Concept | Plain English |
|---|---|
| DAI | Inspects ARP packets, drops fakes |
| Binding table | Source of truth — comes from DHCP Snooping |
| Trusted port | ARPs pass without check — uplinks only |
| Untrusted port | Default — ARPs validated |
| Rate limit | Cap ARPs per second per port (default 15) |
| ARP ACL | Whitelist static-IP hosts manually |
| Layer-2 trio | Port Security + DHCP Snooping + DAI |
| Static hosts | Need ARP ACL or DAI will block their ARPs |
VPN Basics — IPsec & SSL
How two separated networks (or one user and a network) can talk privately over the public internet. Covers site-to-site IPsec, remote-access SSL/TLS VPNs, IKE phases, and what 'tunnel' actually means.
IP Source Guard (IPSG)
The fourth Layer-2 security feature. Validates the source IP of every IP packet against the DHCP Snooping binding table — blocking IP spoofing attacks at the access port.
Want this drilled into reflex?
1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.
Related topics
ARP — Address Resolution Protocol
How a host turns an IP address into the MAC address it needs to actually deliver a frame. Broadcast question, unicast answer, cached for hours. Also covers Gratuitous ARP, Proxy ARP, and the ARP spoofing attack.
Security FundamentalsDHCP Snooping
Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.
Security FundamentalsPort Security
Lock a switch port to a specific MAC address (or addresses). Covers static, dynamic, and sticky learning, violation modes (protect / restrict / shutdown), and the err-disable recovery dance.
One topic per email, every fortnight
VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.
We respect your inbox. One email per week, max. Unsubscribe any time.