Courseiva
SecurityInterface Config

ip arp inspection trust

Configures a switch interface as a trusted port for Dynamic ARP Inspection (DAI), allowing all ARP packets to bypass validation.

Syntax·Interface Config
ip arp inspection trust

When to Use This Command

  • Enable on uplink ports connecting to trusted routers or switches to avoid dropping legitimate ARP traffic.
  • Configure on ports connecting to DHCP servers to ensure ARP responses from the server are not inspected.
  • Use on ports where IP phones or other devices are known to send valid ARP packets that might otherwise be flagged as invalid.
  • Apply to trunk ports carrying multiple VLANs to prevent DAI from inspecting inter-VLAN ARP traffic.

Command Examples

Enable ARP inspection trust on an access port

interface GigabitEthernet0/1 ip arp inspection trust
Switch(config-if)#ip arp inspection trust
Switch(config-if)#

The command is entered without any output confirmation. The interface is now trusted, meaning all ARP packets received on this port will bypass DAI validation.

Verify trusted port status

show ip arp inspection interfaces GigabitEthernet0/1
Interface        Trust State     Rate (pps)    Burst Interval
---------        -----------     ----------    --------------
Gi0/1            Trusted         15            1

The Trust State column shows 'Trusted' for this interface. Rate and Burst Interval are default values for rate limiting, which still apply even on trusted ports.

Understanding the Output

The 'show ip arp inspection interfaces' command displays the trust state for each interface. The 'Trust State' column indicates whether the port is 'Trusted' or 'Untrusted'. Trusted ports bypass ARP packet validation, while untrusted ports are subject to DAI checks. The 'Rate (pps)' and 'Burst Interval' columns show the rate limiting configuration, which applies to both trusted and untrusted ports. A trusted port should have a rate limit set appropriately to prevent DoS attacks, even though validation is skipped.

CCNA Exam Tips

1.

Remember that DAI is only effective on untrusted ports; trusted ports bypass validation, so only configure trust on ports that are absolutely reliable.

2.

The 'ip arp inspection trust' command is configured per interface and is disabled by default (all ports are untrusted).

3.

In the CCNA exam, you may be asked to identify which ports should be trusted: typically uplinks to other switches or routers, and ports connecting to DHCP servers.

4.

Trust state does not affect rate limiting; rate limiting is applied regardless of trust state.

Common Mistakes

Configuring trust on all ports, which defeats the purpose of DAI and leaves the network vulnerable to ARP spoofing.

Forgetting to configure trust on uplink ports, causing legitimate ARP traffic from upstream devices to be dropped.

Assuming that trusted ports do not need rate limiting; rate limiting should still be configured to prevent ARP storms.

Related Commands

ip arp inspection vlan [id]

Enables Dynamic ARP Inspection (DAI) on specified VLANs to validate ARP packets and prevent ARP spoofing attacks.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions