show ip arp inspection
Displays the Dynamic ARP Inspection (DAI) statistics and configuration status on a switch, used to verify DAI operation and troubleshoot ARP spoofing attacks.
show ip arp inspectionWhen to Use This Command
- Verify that DAI is enabled on specific VLANs after configuration.
- Check the number of ARP packets dropped due to invalid IP-to-MAC bindings.
- Monitor DAI statistics to detect potential ARP spoofing attacks in the network.
- Troubleshoot connectivity issues caused by DAI blocking legitimate ARP traffic.
Command Examples
Basic DAI status and statistics
show ip arp inspectionSource Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL ---- ------------- --------- --------- ---------- 1 Enabled Active arp-acl-1 arp-acl-1 10 Disabled Inactive Vlan ACL Logging DHCP Logging ---- --------------- ------------- 1 Deny Deny 10 Deny Deny Vlan Forwarded Dropped DHCP Drops ACL Drops ---- ---------- -------- ---------- --------- 1 1500 23 20 3 10 0 0 0 0 Vlan DHCP Permits ACL Permits Source MAC Failures ---- -------------- ----------- ------------------- 1 1480 20 2 10 0 0 0 Vlan Dest MAC Failures IP Validation Failures Invalid Protocol ---- ----------------- ---------------------- ---------------- 1 0 1 0 10 0 0 0
The output shows DAI configuration and statistics per VLAN. 'Source Mac Validation', 'Destination Mac Validation', and 'IP Address Validation' indicate whether these checks are enabled globally. The 'Vlan' table shows per-VLAN configuration and operation status. 'ACL Match' and 'Static ACL' show the ACLs applied. 'Forwarded' and 'Dropped' columns show packet counts. 'DHCP Drops' and 'ACL Drops' break down drop reasons. 'Source MAC Failures', 'Dest MAC Failures', 'IP Validation Failures', and 'Invalid Protocol' show specific validation failures.
Detailed DAI statistics with interface breakdown
show ip arp inspection interfacesInterface Trust State Rate (pps) Burst Interval --------- ----------- ---------- -------------- Gi1/0/1 Trusted 15 1 Gi1/0/2 Untrusted 5 1 Gi1/0/3 Untrusted 10 1 Interface DHCP Drops ACL Drops Source MAC Failures --------- ---------- --------- ------------------- Gi1/0/1 0 0 0 Gi1/0/2 20 3 2 Gi1/0/3 0 0 0 Interface Dest MAC Failures IP Validation Failures Invalid Protocol --------- ----------------- ---------------------- ---------------- Gi1/0/1 0 0 0 Gi1/0/2 0 1 0 Gi1/0/3 0 0 0
This output shows per-interface DAI statistics. 'Trust State' indicates whether the interface is trusted (DAI bypassed) or untrusted (DAI enforced). 'Rate' and 'Burst Interval' show the ARP rate limiting parameters. The subsequent tables show drop counts per interface for various validation failures. High drop counts on an untrusted interface may indicate an ARP spoofing attack or misconfiguration.
Understanding the Output
The 'show ip arp inspection' command output is divided into sections. The first section shows global validation settings (Source MAC, Destination MAC, IP Address Validation) which are typically disabled unless explicitly configured. The second section lists VLANs with their DAI configuration status ('Enabled' or 'Disabled') and operation status ('Active' or 'Inactive'). 'ACL Match' and 'Static ACL' columns show the ACLs applied for ARP packet filtering. The third section shows ACL and DHCP logging settings per VLAN. The fourth section provides packet counters: 'Forwarded' (legitimate ARP packets), 'Dropped' (total drops), 'DHCP Drops' (dropped due to DHCP snooping binding mismatch), and 'ACL Drops' (dropped by ACL). The fifth section shows 'DHCP Permits' and 'ACL Permits' (packets allowed by each mechanism). The final sections break down validation failures: 'Source MAC Failures' (source MAC mismatch), 'Dest MAC Failures' (destination MAC mismatch), 'IP Validation Failures' (IP address mismatch), and 'Invalid Protocol' (non-ARP packets). In a healthy network, drop counts should be low or zero; a sudden spike in drops on untrusted interfaces may indicate an ARP spoofing attack. Trusted interfaces (e.g., uplinks to routers) should have zero drops as DAI is bypassed.
CCNA Exam Tips
Remember that DAI relies on DHCP snooping bindings; if DHCP snooping is not enabled, DAI will drop all ARP packets on untrusted ports unless an ACL is configured.
DAI validates ARP packets based on MAC address and IP address bindings; the exam may test which validation checks are enabled by default (none).
Trusted ports bypass DAI; typically configure ports connecting to routers or other switches as trusted.
The 'show ip arp inspection interfaces' command is useful for identifying which interface is dropping ARP packets.
Common Mistakes
Forgetting to enable DHCP snooping before DAI, causing all ARP packets to be dropped on untrusted ports.
Configuring DAI on a VLAN but not applying an ACL, resulting in all ARP packets being dropped if DHCP snooping is not available.
Setting all ports as trusted, which defeats the purpose of DAI and leaves the network vulnerable to ARP spoofing.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions