Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) is a security feature that verifies address resolution protocol (ARP) requests, which is vulnerable to an attack like ARP poisoning, and responses in a network.

Graphic A


ARP allows hosts within a Layer 2 broadcast domain to communicate. It does this by mapping an IP address to the individual host's media access control (MAC) address.
If a particular host wants to send information to another host but does not have the second host's MAC address in its ARP cache, it sends a message to all hosts throughout the domain seeking that information. The second host then responds with its MAC address.


These transmissions can be vulnerable to man in the middle attacks. DAI stops these attacks by intercepting all ARP requests and responses and dropping packets with invalid IP-to-MAC address bindings.

DAI create a database of trusted MC-IP address mapping that is the same as the DHCP snoopping
 This approach ensures that only valid ARP requests and responses are passed through.

 DAI is performed on ARP message as they are received , not as they are sent.
We use trusted and untrusted ports in DAI as well.As with DHCP snooping, all ports are consider untrusted by default.

Graphic B

We are going to use DHCP Snooping initially in this operation to mark the trusted and no trusted ports, but DAI has major difference  how messages are treated by these port types.DAI is performed as ARP messages  are received , not transmitted.

We could see in the above diagram that DHCP snooping is enable. The next step is to configure the vlan that will be using the DAI.

If you see those validation failure starting to add up , you must have a rogue device on your network.!
Now , DAI consider all ports untrusted by default.To trust one of them or to remove the trust in one of them already trusted , use IP ARP INSPECTION

If you run DAI in your network, it's a good idea to run in all your switches to avoid unnecessary inspection.Cisco recommend to have all ports connected to a host as untrusted , and all ports connected to switches as trusted, like graphic B..
Since DAI runs only in ingress ports , this scheme ensures that every ARP packet has to pass one checkpoint  but no more than that.

So, in conclusion , these are some features of ARP Inspection:

I initially didn't see a lot of labs about dynamic ARP Inspection . So, I made it .And if you like this lab, and was useful, please click to share.

Thank you for watching..