Courseiva
SecurityGlobal Config

ip arp inspection vlan [id]

Enables Dynamic ARP Inspection (DAI) on specified VLANs to validate ARP packets and prevent ARP spoofing attacks.

Syntax·Global Config
ip arp inspection vlan [id]

When to Use This Command

  • Securing a network with multiple VLANs against man-in-the-middle attacks by validating ARP packets.
  • Enforcing IP-to-MAC address bindings in a DHCP environment to prevent unauthorized devices from intercepting traffic.
  • Protecting a guest VLAN from ARP spoofing where untrusted devices may attempt to impersonate the default gateway.
  • Compliance requirement for PCI DSS or other security standards that mandate ARP inspection in switched networks.

Command Examples

Enable DAI on VLAN 10

ip arp inspection vlan 10

No output is generated on success. Use 'show ip arp inspection vlan 10' to verify.

Enable DAI on multiple VLANs

ip arp inspection vlan 10,20,30

Enables DAI on VLANs 10, 20, and 30. Verify with 'show ip arp inspection'.

Understanding the Output

The 'ip arp inspection vlan' command itself produces no output. To verify DAI status, use 'show ip arp inspection vlan [id]'. The output shows VLAN ID, operational state (Enabled/Disabled), ACL match, and DHCP snooping validation. Key fields: 'Vlan' – VLAN number; 'Configuration' – configured state; 'Operation' – actual state (must be Enabled); 'ACL Match' – whether ACL is applied; 'DHCP Snooping' – whether DHCP snooping bindings are used. A healthy network shows 'Enabled' for all configured VLANs. If 'Operation' shows 'Disabled', check that DHCP snooping is enabled globally and on the VLAN. Watch for 'Invalid' packets in 'show ip arp inspection statistics' which indicate ARP attacks or misconfigurations.

CCNA Exam Tips

1.

CCNA exam tip: DAI requires DHCP snooping to be enabled globally and on the VLAN; otherwise, DAI will not validate ARP packets.

2.

CCNA exam tip: DAI can be configured with ACLs to allow static IP-MAC bindings; know the 'ip arp inspection filter' command.

3.

CCNA exam tip: DAI validates ARP packets based on MAC address, IP address, and interface; invalid packets are dropped and logged.

4.

CCNA exam tip: DAI is typically enabled on access VLANs, not trunk ports; trunk ports are considered trusted by default.

Common Mistakes

Mistake 1: Enabling DAI without DHCP snooping – DAI will not validate ARP packets, leading to false security.

Mistake 2: Forgetting to configure trusted ports – all ports are untrusted by default; trunk ports to other switches must be trusted to avoid dropping legitimate ARP.

Mistake 3: Not configuring a rate limit – DAI can cause high CPU usage if ARP storms occur; use 'ip arp inspection limit' to prevent DoS.

Related Commands

ip dhcp snooping

Enables DHCP snooping globally on the switch to filter untrusted DHCP messages and prevent rogue DHCP server attacks.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions