Dynamic ARP Inspection (DAI) is a critical security feature that prevents ARP spoofing and man-in-the-middle attacks in your network. For the CCNA 200-301 exam (Objective 4.3: IP Services), understanding DAI is essential because it's a common Layer 2 security mechanism that appears in both written and lab scenarios. In real-world engineering, DAI protects the integrity of ARP messages, ensuring that a host's IP-to-MAC mapping is legitimate before it can poison other devices' ARP caches.
Jump to a section
Imagine a large university campus with a central mailroom. Every student has a mailbox, and mail is delivered based on a directory that maps student names to mailbox numbers. Now, a malicious student, Mallory, wants to intercept Alice's mail. She walks up to the mailroom and tells the clerk, 'I'm Alice, and my mailbox number is 42' (which is actually Bob's mailbox). The clerk, if trusting, updates the directory so that 'Alice' now points to mailbox 42. Now all mail for Alice goes to Bob's box, and Mallory can later retrieve it. This is an ARP spoofing attack: Mallory sends a fake ARP reply claiming that Alice's IP address maps to her own MAC address. Dynamic ARP Inspection acts like a security guard at the mailroom entrance. Before any directory change is made, the guard checks the student's ID card against a master list of authorized residents. If Mallory claims to be Alice but her ID shows she's Mallory, the guard rejects the update. In networking terms, DAI intercepts all ARP packets on a VLAN and validates them against a trusted database called the DHCP snooping binding table. If the IP-MAC binding in the ARP packet doesn't match an entry in that table, the packet is dropped. The guard also ensures that only authorized mailroom employees—trusted ports—can make directory changes directly; all other requests must be verified. This prevents Mallory from poisoning the directory and redirecting mail.
What is Dynamic ARP Inspection?
Dynamic ARP Inspection (DAI) is a Cisco Catalyst switch security feature that validates ARP packets in a VLAN. It intercepts all ARP requests and replies on untrusted ports and verifies that each packet has a valid IP-to-MAC address binding before forwarding the packet. DAI is part of the broader Layer 2 security toolkit, which also includes DHCP snooping and IP Source Guard. DAI is configured per VLAN and relies on the DHCP snooping binding database as its source of truth.
Why ARP Spoofing is Dangerous
ARP (Address Resolution Protocol) has no built-in security. Any host can send an unsolicited ARP reply (gratuitous ARP) claiming any IP-MAC mapping. An attacker can send a forged ARP reply associating the victim's IP address with the attacker's MAC address. This poisons the ARP caches of other hosts, allowing the attacker to intercept traffic (man-in-the-middle) or cause a denial of service. DAI prevents this by ensuring that only ARP packets with valid bindings are accepted.
How DAI Works
DAI operates at the switch level. When an ARP packet arrives on an untrusted port, the switch performs these checks:
IP-to-MAC Binding Check: The switch extracts the sender IP and sender MAC from the ARP payload. It then looks up the sender IP in the DHCP snooping binding table. If a matching entry exists, it compares the sender MAC in the ARP to the MAC address in the binding table. If both match, the packet is forwarded. If not, the packet is dropped and an error message is logged.
Additional Validation (Optional): DAI can also validate the source MAC address in the Ethernet frame against the sender MAC in the ARP, and the target IP address for ARP replies. These are configured with the ip arp inspection validate command.
DAI Trust States and Port Roles
DAI uses the concept of trusted and untrusted ports:
Trusted Ports: Typically ports connected to switches, routers, or DHCP servers. ARP packets on trusted ports are not validated. This reduces overhead on infrastructure links.
Untrusted Ports: Ports connected to end hosts (PCs, printers, etc.). All ARP packets on these ports are subject to validation.
By default, all ports are untrusted. You must explicitly configure trusted ports using the ip arp inspection trust interface command.
DHCP Snooping Binding Table
DAI relies on the DHCP snooping binding table. DHCP snooping must be enabled globally and per VLAN for DAI to function. The binding table contains entries with:
VLAN ID
MAC address
IP address (leased from DHCP)
Lease time
Interface (port)
When a host receives an IP address via DHCP, the switch (with DHCP snooping enabled) records this binding. DAI uses this table to validate ARP packets. If a host uses a static IP address, DAI cannot validate it unless you manually add a static binding using the ip arp inspection filter command or by configuring DHCP snooping with a static entry.
Rate Limiting and Burst Interval
DAI includes rate limiting to prevent DoS attacks. The default rate limit for untrusted ports is 15 packets per second (pps). If the rate exceeds this limit, the port is err-disabled. You can adjust the rate with the ip arp inspection limit interface command. To recover from err-disable, you can use errdisable recovery cause arp-inspection or manually shut/no shut the interface.
DAI Configuration Steps
To configure DAI:
Enable DHCP snooping globally and on the VLANs where DAI will be used.
Configure trusted ports for uplinks and DHCP server ports.
Enable DAI on the VLANs.
(Optional) Configure additional validation checks.
(Optional) Adjust rate limits.
Example configuration:
! Enable DHCP snooping globally
ip dhcp snooping
! Enable DHCP snooping on VLAN 10
ip dhcp snooping vlan 10
! Configure the DHCP server port as trusted
interface GigabitEthernet0/1
ip dhcp snooping trust
! Configure uplink to other switches as trusted
interface GigabitEthernet0/2
ip arp inspection trust
! Enable DAI on VLAN 10
ip arp inspection vlan 10
! Optional: validate source MAC and destination MAC
ip arp inspection validate src-mac dst-mac
! Optional: set rate limit on untrusted ports
interface GigabitEthernet0/3
ip arp inspection limit rate 20Verification Commands
Use the following commands to verify DAI operation:
show ip arp inspection interfaces
show ip arp inspection vlan 10
show ip dhcp snooping binding
show ip arp inspection statistics vlan 10Example output for show ip arp inspection interfaces:
Interface Trust State Rate (pps) Burst Interval
--------- ----------- ---------- --------------
Gi0/1 Trusted N/A N/A
Gi0/2 Trusted N/A N/A
Gi0/3 Untrusted 15 1Example output for show ip arp inspection vlan 10:
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
10 Deny DenyInteraction with Other Features
DAI works closely with DHCP snooping and IP Source Guard. DHCP snooping provides the binding table; DAI validates ARP; IP Source Guard validates IP traffic at Layer 3. All three are often deployed together for comprehensive Layer 2 security. DAI does not inspect non-ARP packets; it only processes ARP frames.
Enable DHCP Snooping Globally and Per VLAN
DAI cannot function without DHCP snooping because it relies on the DHCP snooping binding table. First, enable DHCP snooping globally with `ip dhcp snooping`. Then, enable it on the specific VLANs where DAI will be used, e.g., `ip dhcp snooping vlan 10`. This instructs the switch to intercept DHCP messages and build the binding table. Without this step, DAI would have no valid bindings to compare against, causing all ARP packets to be dropped (if DAI is enabled). Ensure that the DHCP server port is configured as trusted using `ip dhcp snooping trust` on that interface, otherwise DHCP offers from the server might be dropped.
Configure Trusted Ports for DAI
By default, all ports are untrusted for DAI. You must explicitly configure ports that connect to other switches, routers, or DHCP servers as trusted. Use interface configuration mode: `interface GigabitEthernet0/1` then `ip arp inspection trust`. Trusted ports skip ARP validation, which is necessary for inter-switch communication where ARP packets from legitimate sources (like other switches' DAI) should not be dropped. Failure to configure uplink ports as trusted can cause ARP traffic between switches to be dropped, breaking connectivity.
Enable DAI on the VLAN
Enable DAI on the VLAN using the global configuration command `ip arp inspection vlan 10`. You can specify a range of VLANs, e.g., `ip arp inspection vlan 10-20`. Once enabled, the switch will intercept all ARP packets on untrusted ports in that VLAN and validate them against the DHCP snooping binding table. If DAI is enabled on a VLAN but DHCP snooping is not, DAI will drop all ARP packets because there are no bindings. This is a common misconfiguration.
Configure Optional Validation Checks
For enhanced security, you can enable additional validation checks using `ip arp inspection validate [src-mac] [dst-mac] [ip]`. The `src-mac` option checks that the source MAC address in the Ethernet frame matches the sender MAC in the ARP payload. `dst-mac` checks that the destination MAC in the frame matches the target MAC in ARP replies. `ip` validates the IP address (e.g., for ARP replies, the target IP must be valid). These checks add extra layers of protection but may cause false positives if not properly understood. For CCNA, know that these options exist and that they are disabled by default.
Adjust Rate Limiting on Untrusted Ports
To prevent ARP flooding attacks, DAI enforces a rate limit on untrusted ports. The default is 15 pps. You can change it per interface: `ip arp inspection limit rate 25`. Optionally, set a burst interval: `ip arp inspection limit rate 25 burst interval 2`. If the limit is exceeded, the port goes into err-disable state. You can configure errdisable recovery: `errdisable recovery cause arp-inspection` and `errdisable recovery interval 300`. Monitoring the rate limit is important; too low a rate may drop legitimate ARP traffic, too high may allow an attacker to flood.
Verify DAI Operation Using Show Commands
After configuration, verify with `show ip arp inspection interfaces` to see trust state and rate limits. Use `show ip arp inspection vlan 10` to confirm DAI is enabled and active. Check `show ip dhcp snooping binding` to ensure bindings exist. Also, `show ip arp inspection statistics vlan 10` shows counts of dropped and forwarded ARP packets. If you see many drops, investigate using `debug ip arp inspection` (with caution in production). These verification steps are crucial for troubleshooting and are commonly tested on the exam.
In a typical enterprise campus network, DAI is deployed on access layer switches where end users connect. For example, a company with 500 employees in a building uses VLANs for each floor. The network engineer enables DHCP snooping and DAI on all user VLANs. The switch uplinks to the distribution layer are configured as trusted. This prevents an employee from plugging in a rogue laptop that sends fake ARP replies to intercept the CEO's traffic. In another scenario, a university with a BYOD policy uses DAI to protect the network from students who might run ARP spoofing tools. The DHCP snooping binding table is populated as students obtain IP addresses. DAI ensures that even if a student manually sets a static IP, ARP packets claiming that IP will be dropped unless a static ARP inspection filter is configured. A common pitfall is forgetting to configure the DHCP server port as trusted for DHCP snooping, which causes DHCP offers to be dropped and clients fail to get IP addresses. Also, if a switch is replaced and the new switch does not have DAI configured, ARP attacks can succeed until the configuration is restored. Performance considerations: DAI adds CPU overhead because the switch must inspect every ARP packet. On high-density switches with thousands of ARP packets per second, rate limiting becomes critical. A misconfigured rate limit that is too low can cause legitimate ARP traffic to be dropped, leading to connectivity issues that are hard to diagnose. Network engineers often monitor DAI statistics via SNMP to detect potential attacks. In production, DAI is usually deployed alongside IP Source Guard for complete Layer 2 security.
The CCNA 200-301 exam tests DAI under Objective 4.3 (IP Services). You need to know: (1) DAI validates ARP packets using the DHCP snooping binding table. (2) DAI is configured per VLAN. (3) Trusted vs untrusted ports. (4) Rate limiting default is 15 pps. (5) DAI can validate source MAC, destination MAC, and IP. Common wrong answers: Candidates often think DAI uses a separate ACL or that it validates all packets, not just ARP. Another trap: They assume DAI works without DHCP snooping—it does not. Some think enabling DAI on a VLAN automatically trusts all ports; they forget to configure trusted ports. Specific values to remember: default rate limit 15 pps, burst interval 1 second. On the exam, you might see a scenario where a host with a static IP cannot communicate after DAI is enabled; the solution is to add a static ARP inspection filter or create a static DHCP snooping binding. Another scenario: An attacker sends many ARP packets, causing a port to go err-disable; the recovery command is errdisable recovery cause arp-inspection. Decision rule: If a question involves ARP spoofing prevention, the answer is DAI. If it involves validating IP packets at Layer 3, it's IP Source Guard. Remember that DAI only inspects ARP frames, not IP packets.
DAI prevents ARP spoofing by validating IP-to-MAC bindings against the DHCP snooping database.
DAI is configured per VLAN using 'ip arp inspection vlan <vlan-id>'.
Ports are untrusted by default; use 'ip arp inspection trust' on uplink and server ports.
Default rate limit on untrusted ports is 15 packets per second.
DAI requires DHCP snooping to be enabled globally and on the same VLAN.
Optional validation checks: src-mac, dst-mac, ip (configured with 'ip arp inspection validate').
Exceeded rate limit causes err-disable; recovery via 'errdisable recovery cause arp-inspection'.
These come up on the exam all the time. Here's how to tell them apart.
Dynamic ARP Inspection (DAI)
Validates ARP packets only.
Uses DHCP snooping binding table for IP-MAC bindings.
Prevents ARP spoofing attacks.
Configured per VLAN.
Ports can be trusted or untrusted.
Rate limiting per port (default 15 pps).
IP Source Guard (IPSG)
Validates IP packets (not ARP).
Uses DHCP snooping binding table or static IP source binding.
Prevents IP spoofing attacks.
Configured per interface.
Ports are either enabled or disabled for IPSG.
No rate limiting; uses ACL-based filtering.
Mistake
DAI can validate ARP packets without DHCP snooping.
Correct
DAI relies entirely on the DHCP snooping binding table. Without DHCP snooping, there are no bindings, so DAI will drop all ARP packets.
Candidates assume DAI has its own database, but it's dependent on DHCP snooping.
Mistake
Enabling DAI on a VLAN automatically makes all ports trusted.
Correct
All ports are untrusted by default. You must manually configure trusted ports using 'ip arp inspection trust'.
The word 'trust' might imply default trust, but the opposite is true for security.
Mistake
DAI validates all types of packets, not just ARP.
Correct
DAI only inspects ARP frames (types 0x0806). Other packets are forwarded normally.
The name 'Dynamic ARP Inspection' clearly indicates it's for ARP, but candidates might generalize.
Mistake
DAI uses ACLs to filter ARP packets.
Correct
DAI uses the DHCP snooping binding table, not ACLs. However, you can optionally use an ARP ACL with 'ip arp inspection filter' for static entries.
Candidates often associate filtering with ACLs, but DAI's primary mechanism is binding validation.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but you need to manually add a static binding to the DHCP snooping database using `ip dhcp snooping binding <mac> vlan <vlan> <ip> interface <interface>`. Alternatively, you can use an ARP ACL with `ip arp inspection filter <acl-name> vlan <vlan>` to allow specific IP-MAC pairs. Without these, DAI will drop ARP packets from static hosts because there is no corresponding entry in the binding table.
DHCP snooping is a security feature that filters DHCP messages and builds a binding table of IP-MAC-interface mappings. DAI uses that binding table to validate ARP packets. DHCP snooping prevents rogue DHCP servers; DAI prevents ARP spoofing. They are complementary and often deployed together.
Technically, you can enable DAI on a VLAN without DHCP snooping, but it will drop all ARP packets because there are no bindings. This would break all Layer 2 communication. Therefore, DHCP snooping must be enabled on the same VLAN for DAI to function correctly.
When a port exceeds the configured rate limit for ARP packets, the switch places the port in err-disable state. This means the port is administratively disabled and will not forward any traffic. You can recover by manually issuing `shutdown` followed by `no shutdown` on the interface, or by configuring errdisable recovery with `errdisable recovery cause arp-inspection`.
Use the command `ip arp inspection vlan <vlan-list>` where vlan-list can be a range, e.g., `ip arp inspection vlan 10-20,30`. This enables DAI on all specified VLANs. Make sure DHCP snooping is also enabled on those VLANs.
The default burst interval is 1 second. This means the rate limit is applied over a 1-second window. You can change it with the `burst interval` option in the `ip arp inspection limit` command.
Yes, if the router is connected to a switch port that is untrusted for DAI, ARP packets from the router might be dropped. To avoid this, configure the switch port connecting to the router as trusted for DAI using `ip arp inspection trust`.
You've just covered Dynamic ARP Inspection — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?