What Does Dynamic ARP Inspection Mean in 200-301?
Also known as: DAI, ARP inspection
Quick Definition
A switch security feature that validates ARP packets using the DHCP Snooping binding table to prevent ARP spoofing.
Full Definition
DAI intercepts ARP requests and replies on untrusted ports and validates them against the DHCP Snooping binding table. If an ARP message contains a MAC-to-IP mapping not in the binding table, DAI drops the frame. This prevents ARP spoofing attacks where a malicious host sends fake ARP replies to redirect traffic through itself (man-in-the-middle). DAI depends on DHCP Snooping being enabled first to build the binding table.
CLI Command
ip arp inspection vlan 10 interface GigabitEthernet0/1 ip arp inspection trust ! uplink — trusted
Exam Trap — Don't Get Fooled
DAI requires DHCP Snooping to be configured first. For hosts with static IP addresses (no DHCP), you must add manual ARP access-list entries, otherwise DAI drops all their ARP messages.
Related 200-301 Terms
Frequently Asked Questions
What does Dynamic ARP Inspection mean on the 200-301 exam?
DAI intercepts ARP requests and replies on untrusted ports and validates them against the DHCP Snooping binding table. If an ARP message contains a MAC-to-IP mapping not in the binding table, DAI drops the frame. This prevents ARP spoofing attacks where a malicious host sends fake ARP replies to redirect traffic through itself (man-in-the-middle). DAI depends on DHCP Snooping being enabled first to build the binding table.
How does Dynamic ARP Inspection appear as a trap on the 200-301?
DAI requires DHCP Snooping to be configured first. For hosts with static IP addresses (no DHCP), you must add manual ARP access-list entries, otherwise DAI drops all their ARP messages.
How important is Dynamic ARP Inspection on the 200-301 exam?
Dynamic ARP Inspection falls under the Security domain of the 200-301 exam. Understanding it in context with related terms like dhcp-snooping and arp is essential for answering scenario-based questions correctly.