Dynamic ARP Inspection (DAI), is a security feature that validates ARP packets in a network. DAI intercepts and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks. DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
- Intercepts all ARP requests and responses on untrusted ports.
- Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache, or before forwarding the packet to the appropriate destination.
- Drops invalid ARP packets.
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping, if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted, and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the VLAN or in the network.
When configuring DAI, follow these guidelines and restrictions:
- DAI is an ingress security feature; it does not perform any egress checking.
- DAI is not effective for hosts connected to switches that do not support DAI, or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI.
- DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.
- DAI is supported on access ports, trunk ports, and lag ports.
DAI Configuration example
Step 1: Enable DHCP snooping on Switch.
You can enable DHCP snooping on the egress port, the port connected to DHCP server.
Enable DHCP snooping:
Set the interface to trust mode：
Step 2: Enable DAI
You can enable DAI on the port connect to the host.
Step 3: Check ARP inspection table.
When the host gets an IP address from the DHCP server, and the switch has enabled DHCP snooping, it will create a table, the IP-MAC-port binded table. The entry in this table was trusted, all other ARP packets not in this table, will be discarded. (The ARP packet must be in accordance with the ARP inspection table, interface, IP address, and MAC address must be identified).