Dynamic ARP Inspection (DAI) and related MAC security mitigations are critical for protecting your network from ARP spoofing and man-in-the-middle attacks. On the CCNA 200-301 exam, objective 2.7 tests your ability to configure and verify these Layer 2 security features. Understanding DAI, port security, and DHCP snooping is not just exam trivia—it's essential for real-world network hardening.
Jump to a section
Imagine a large office building with a central mailroom. Every day, employees send interoffice envelopes (ARP packets) to each other. The envelope has a 'From' name (IP address) and a 'From' department (MAC address). The mailroom has a master directory (DHCP snooping binding table) that lists which employee works in which department. A malicious person, Mallory, wants to intercept messages meant for Alice. Mallory sends an envelope with 'From: Alice, Sales' but she is actually in the IT department. Without a check, the mailroom would deliver future envelopes for Alice to Mallory's desk. Dynamic ARP Inspection acts like a vigilant mailroom clerk: it checks every incoming envelope against the master directory. If the 'From' department doesn't match the directory, the envelope is trashed. Additionally, the clerk only accepts envelopes from known desks (trusted ports) and ignores envelopes from unverified desks—this is like configuring trusted ports for DHCP snooping. Port security is like a door lock that only allows specific employees (MAC addresses) into a room. Together, these measures prevent impersonation and ensure that messages reach the right person.
What is Dynamic ARP Inspection?
Dynamic ARP Inspection (DAI) is a Cisco security feature that validates ARP packets in a network. It prevents ARP spoofing and ARP poisoning attacks by intercepting all ARP requests and responses on untrusted ports and verifying that each packet has a valid IP-to-MAC address binding before forwarding it. DAI relies on a trusted database—the DHCP snooping binding table—to determine validity. Without DAI, an attacker can send a forged ARP reply, claiming to be the default gateway, and redirect traffic to themselves for eavesdropping or modification.
How DAI Works Step by Step
When a switch receives an ARP packet on an untrusted port, DAI performs the following checks:
Packet Interception: The switch CPU intercepts the ARP packet and inspects its sender MAC and sender IP fields.
Binding Lookup: DAI looks up the sender IP address in the DHCP snooping binding table. This table is built by DHCP snooping, which monitors DHCP messages to record which IP address is assigned to which MAC address on which port.
Validation: DAI compares the sender MAC and IP in the ARP packet against the binding table. For an ARP reply, it also checks the target MAC and IP.
Action: If the (MAC, IP) pair matches an entry in the binding table, the packet is forwarded. If not, the packet is dropped and an error message may be logged. Optionally, DAI can also validate against static ARP entries or ACLs.
DAI Validation Checks
DAI performs up to four validation checks, configurable with the ip arp inspection validate command:
src-mac: Verifies that the sender MAC address in the Ethernet header matches the sender MAC in the ARP body.
dst-mac: Verifies that the target MAC in the ARP body matches the Ethernet destination MAC (for ARP replies).
ip: Verifies that the ARP body contains valid IP addresses (e.g., not broadcast or multicast).
source-group: (Optional, not in CCNA) Verifies against source-group mappings.
By default, no validation is enabled except the basic check against the DHCP snooping database. The ip arp inspection validate src-mac dst-mac ip command enables the most common checks.
DAI Configuration
DAI is configured per VLAN. You must first enable DHCP snooping globally and per VLAN to populate the binding table. Then, configure DAI on the same VLANs. Untrusted ports are typically access ports facing hosts; trusted ports are uplinks to switches or routers.
Example configuration:
! Enable DHCP snooping globally
ip dhcp snooping
! Enable DHCP snooping for VLAN 10
ip dhcp snooping vlan 10
! Configure trusted port (uplink)
interface GigabitEthernet0/1
ip dhcp snooping trust
! Enable DAI for VLAN 10
ip arp inspection vlan 10
! (Optional) Validate src-mac, dst-mac, ip
ip arp inspection validate src-mac dst-mac ip
! (Optional) Rate limit ARP packets on untrusted ports
interface GigabitEthernet0/2
ip arp inspection limit rate 15Verification Commands
Use show ip arp inspection to see DAI status per VLAN:
Switch# show ip arp inspection
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
Vlan ACL Logging DHCP Logging
---- -------------- -------------
10 Deny DenyUse show ip arp inspection interfaces to see port trust state and rate limits:
Switch# show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------- ----------- ---------- --------------
Gi0/1 Trusted None N/A
Gi0/2 Untrusted 15 1Use show ip dhcp snooping binding to view the binding table:
Switch# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:11:22:33:44:55 192.168.1.10 86300 dhcp-snooping 10 GigabitEthernet0/2Interaction with DHCP Snooping and Port Security
DAI is dependent on DHCP snooping to build the binding table. Without DHCP snooping, DAI can only use static ARP entries, which is impractical. Port security limits the number of MAC addresses on a port, preventing MAC flooding attacks. DAI and port security complement each other: port security restricts what MACs can enter the switch, while DAI ensures those MACs are not spoofing IPs.
Rate Limiting
DAI can rate-limit ARP packets on untrusted ports to prevent CPU overload. The default rate is 15 packets per second (pps) with a burst interval of 1 second. If the limit is exceeded, the port is err-disabled. Use ip arp inspection limit rate <pps> to change the rate.
DAI and ARP ACLs
For hosts with static IP addresses (not DHCP), you can create an ARP ACL to validate their ARP packets. This is an alternative to DHCP snooping entries. Example:
arp access-list STATIC_HOSTS
permit ip host 192.168.1.20 mac host 0050.7966.6800
ip arp inspection filter STATIC_HOSTS vlan 10Summary of Defaults
DAI is disabled by default on all VLANs.
All ports are untrusted by default.
No validation checks are enabled by default.
Rate limit is 15 pps on untrusted ports.
The switch uses the DHCP snooping binding table by default.
Enable DHCP Snooping
DAI requires a valid binding table. First, enable DHCP snooping globally with `ip dhcp snooping`. Then enable it on the VLANs you want to protect with `ip dhcp snooping vlan <vlan-id>`. This command tells the switch to monitor DHCP messages on that VLAN. Next, configure trusted ports (uplinks to DHCP servers or other switches) with `ip dhcp snooping trust` under the interface. All other ports are untrusted by default. Trusted ports are allowed to send DHCP offers and ACKs; untrusted ports can only send DHCP requests. This prevents rogue DHCP servers.
Enable DAI on VLANs
Enable Dynamic ARP Inspection on the same VLANs with `ip arp inspection vlan <vlan-id>`. This activates DAI for all ARP packets received on untrusted ports in that VLAN. The switch will now intercept ARP packets and validate them against the DHCP snooping binding table. If the binding table is empty (e.g., no DHCP clients), DAI will drop all ARP packets from untrusted ports unless you configure static entries or ARP ACLs.
Configure Validation Checks
Optionally, enable additional validation with `ip arp inspection validate [src-mac] [dst-mac] [ip]`. This command is global. `src-mac` checks that the source MAC in the Ethernet header matches the sender MAC in the ARP body. `dst-mac` checks that the destination MAC matches the target MAC (for ARP replies). `ip` checks that the IP addresses are valid (e.g., not 0.0.0.0, not multicast). These checks add extra security but may cause issues with some legitimate traffic (e.g., ARP probes). On the exam, know that the default is no validation; the command enables them.
Set Rate Limits on Untrusted Ports
To prevent DoS attacks, configure rate limiting on untrusted ports. By default, DAI allows 15 ARP packets per second. Use `ip arp inspection limit rate <pps>` in interface configuration mode to change the limit. If the rate is exceeded, the port is put into err-disable state. You can also configure the burst interval with `ip arp inspection limit burst interval <seconds>`. On the exam, know the default rate and that exceeding it causes err-disable.
Verify DAI Operation
Use `show ip arp inspection` to verify DAI is active on the correct VLANs and see validation settings. Use `show ip arp inspection interfaces` to check trust state and rate limits. Use `show ip dhcp snooping binding` to confirm that bindings exist. If DAI is dropping packets, check `show ip arp inspection statistics` to see counts of dropped and allowed packets. Also check `show logging` for DAI error messages. A common exam scenario: DAI is enabled but ARP from a static IP host fails—you need to create an ARP ACL.
Troubleshoot DAI Issues
If legitimate ARP packets are being dropped, first verify that the DHCP snooping binding table has an entry for the source IP and MAC. If the host uses a static IP, you must add a static binding (`ip dhcp snooping binding <mac> vlan <vlan> <ip> interface <int>`) or create an ARP ACL. Also ensure that the port is not configured as trusted inadvertently. Check for rate limiting errors: if the port is err-disabled, re-enable it with `shutdown` and `no shutdown` after fixing the cause. On the exam, you might be asked why a host cannot communicate—look for missing DAI configuration or wrong trust state.
In an enterprise campus network, DAI is typically deployed on access switches that connect end-user devices. For example, in a university dormitory network, students often plug in personal devices, some of which may be infected with malware that attempts ARP spoofing to intercept traffic. By enabling DAI on all user VLANs, the network team prevents such attacks. The DHCP snooping binding table is populated as students obtain IP addresses via DHCP. Static IP devices, like printers, are handled by adding ARP ACLs or static bindings.
A common production deployment scenario: a company has a VLAN for VoIP phones and a separate VLAN for data. DAI is enabled on both VLANs. The phones get IPs via DHCP, so they automatically appear in the binding table. However, some legacy devices use static IPs. For those, the network engineer creates an ARP ACL listing the allowed MAC-IP pairs. This ACL is applied to the VLAN using ip arp inspection filter.
Performance considerations: DAI is CPU-intensive because the switch must process every ARP packet in software. On high-density switches with many hosts, the rate limit must be set appropriately to avoid CPU overload. Typically, a rate of 15-30 pps per port is sufficient for normal operation. If a port has many ARP requests (e.g., a port with a hub), the rate may need to be increased. Misconfiguration can cause outages: if an uplink port is left as untrusted, all ARP traffic from that port is dropped, isolating the VLAN from the rest of the network. Conversely, if a host port is incorrectly set as trusted, DAI is bypassed, allowing spoofing.
Another scenario: in a data center, DAI is often used in conjunction with private VLANs to isolate tenants. The binding table is populated by DHCP or by a cloud management system. Rate limiting is critical to prevent ARP storms from affecting the control plane.
For CCNA 200-301 objective 2.7, you must know how to configure and verify DAI, DHCP snooping, and port security. The exam tests your ability to identify the correct configuration commands and interpret show output. Common wrong answers include:
Enabling DAI without DHCP snooping: Candidates think DAI works alone. In reality, DAI relies on the DHCP snooping binding table. Without it, DAI will drop all ARP packets unless static entries or ACLs are configured.
Confusing trusted/untrusted ports: On the exam, you might see a scenario where ARP packets are being dropped. The answer might be that the port is untrusted, but the host is legitimate. The fix is either to make the port trusted (if it's an uplink) or to ensure a binding exists. Many candidates incorrectly set all ports to trusted.
Rate limiting defaults: The default rate is 15 pps. If a question says 'the switch is dropping ARP packets' and shows a rate limit of 15, the answer might be to increase the rate limit if the host is legitimate.
Validation checks: The default is no validation. The command ip arp inspection validate src-mac dst-mac ip enables all three. A question might ask which validation checks are enabled by default—none.
Err-disable recovery: If a port goes err-disable due to DAI rate limiting, you must manually shut/no shut or configure err-disable recovery. The exam may ask how to recover.
Decision rule: When you see an ARP spoofing scenario, always think DHCP snooping first—then DAI. For configuration questions, remember: DHCP snooping global + VLAN, trust uplink, then DAI on VLAN. For troubleshooting, check binding table and trust state.
Specific values to memorize: default rate 15 pps, burst interval 1 second, validation disabled by default, all ports untrusted by default. The show ip arp inspection output shows VLAN, config, and operation status. The show ip dhcp snooping binding output shows MAC, IP, lease, type, VLAN, interface.
DAI validates ARP packets against the DHCP snooping binding table; it is disabled by default.
DAI relies on DHCP snooping; without it, DAI drops all ARP on untrusted ports unless static bindings or ACLs exist.
All switch ports are untrusted by default for DAI; trusted ports are typically uplinks.
Default ARP rate limit on untrusted ports is 15 pps; exceeding it causes err-disable.
The 'ip arp inspection validate src-mac dst-mac ip' command enables all three validation checks; none are enabled by default.
Use 'show ip arp inspection' to verify DAI status per VLAN and 'show ip arp inspection interfaces' for trust state.
Port security limits MAC addresses per port, while DAI prevents IP-to-MAC spoofing; both are complementary.
These come up on the exam all the time. Here's how to tell them apart.
Dynamic ARP Inspection (DAI)
Validates ARP packets using IP-to-MAC bindings
Prevents ARP spoofing and man-in-the-middle attacks
Relies on DHCP snooping binding table
Operates at Layer 3 (IP) and Layer 2 (MAC)
Rate-limits ARP packets to protect CPU
Port Security
Limits number of MAC addresses per port
Prevents MAC flooding and unauthorized devices
Uses sticky MAC or static configuration
Operates only at Layer 2 (MAC)
Can shut down port on violation (err-disable)
Mistake
DAI can be used without DHCP snooping.
Correct
DAI requires a binding table. Without DHCP snooping, the binding table is empty, so DAI will drop all ARP packets on untrusted ports unless static entries or ARP ACLs are configured.
Candidates assume DAI is a standalone feature because it 'inspects' ARP, but it needs a source of truth.
Mistake
All ports should be configured as trusted for DAI to work.
Correct
Only uplink ports to other switches or routers should be trusted. Host-facing ports should remain untrusted to prevent spoofing.
Misunderstanding of trust model; candidates think trusted means 'safe'.
Mistake
The default validation checks include src-mac and dst-mac.
Correct
No validation checks are enabled by default. They must be explicitly configured with 'ip arp inspection validate'.
Candidates confuse default DAI behavior with the optional validation feature.
Mistake
DAI rate limiting default is 100 pps.
Correct
The default rate is 15 packets per second on untrusted ports.
Many candidates guess a higher number based on other rate limits (e.g., storm control).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, but you must provide a binding for the static IP. You can either add a static DHCP snooping binding using 'ip dhcp snooping binding <mac> vlan <vlan> <ip> interface <int>' or create an ARP ACL using 'arp access-list' and apply it with 'ip arp inspection filter'. Without this, DAI will drop ARP packets from static IP hosts because they are not in the DHCP snooping database.
The default rate limit is 15 packets per second (pps) on untrusted ports. The burst interval is 1 second. If the rate is exceeded, the port is placed in err-disable state. You can change the rate with the 'ip arp inspection limit rate' command. On trusted ports, there is no rate limit by default.
Technically yes, but it will drop all ARP packets on untrusted ports because the binding table is empty. To make it useful, you must either enable DHCP snooping or configure static bindings/ACLs. On the CCNA exam, remember that DAI and DHCP snooping are typically configured together.
First, fix the cause (e.g., increase rate limit or stop the excessive ARPs). Then, from interface configuration mode, issue 'shutdown' followed by 'no shutdown'. Alternatively, you can configure err-disable recovery with 'errdisable recovery cause arp-inspection' globally, which automatically recovers the port after a timeout.
DAI validates the IP-to-MAC binding in ARP packets to prevent ARP spoofing. Port security limits the number of MAC addresses allowed on a port and can restrict specific MACs. They address different attack vectors: DAI stops man-in-the-middle at Layer 3, while port security stops MAC flooding and unauthorized devices at Layer 2. They are often used together.
Key commands: 'show ip arp inspection' shows per-VLAN status and validation settings. 'show ip arp inspection interfaces' shows trust state and rate limits per port. 'show ip arp inspection statistics' shows packet counts. 'show ip dhcp snooping binding' shows the binding table used by DAI. 'show logging' shows DAI error messages.
No. DAI does not inspect ARP packets received on trusted ports. Trusted ports are assumed to be secure (e.g., uplinks to other switches). This is why it is critical to correctly identify which ports are trusted. On the exam, if a host is on a trusted port, DAI will not validate its ARP packets.
You've just covered Dynamic ARP and MAC Security Mitigation — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?