Configuring Switching Information 387
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI
prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other
stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant sends ARP requests
or responses mapping another station’s IP address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a
binding database of valid {MAC address, IP address, VLAN, and interface} tuples.
When DAI is enabled, the switch drops ARP packets whose sender MAC address and sender IP address
do not match an entry in the DHCP snooping bindings database. You can optionally configure additional
ARP packet validation.
The Dynamic ARP Inspection menu page contains links to the following features:
• DAI Global Configuration
• DAI Interface Configuration
• DAI VLAN Configuration
• DAI ACL Configuration
• DAI ACL Rule Configuration
•DAI Statistics
DAI Global Configuration
Use the DAI Configuration page to configure global DAI settings.
To display the DAI Configuration page, click Switching > Dynamic ARP Inspection > Global
Configuration in the navigation tree.
Figure 7-101. Dynamic ARP Inspection Global Configuration