Dynamic ARP Inspection (DAI) – ARP Spoofing Prevention & DHCP Snooping Binding

1. What Is Dynamic ARP Inspection and Why Does It Matter?

Dynamic ARP Inspection (DAI) is a Layer 2 security feature on Cisco switches that intercepts, validates, and either forwards or drops ARP packets based on a trusted binding database. Its primary purpose is to prevent ARP spoofing (also called ARP poisoning) — an attack in which a malicious host sends forged ARP replies to associate its MAC address with a legitimate IP address, redirecting traffic intended for that IP through the attacker's machine.

ARP has no built-in authentication mechanism. Any host can send an ARP reply claiming any IP-to-MAC mapping, and neighbouring devices will blindly accept it. DAI closes this gap by checking every ARP packet on untrusted switch ports against the DHCP Snooping binding table (or a manually configured ARP ACL) before allowing it to be forwarded.

Attack / Problem How DAI Prevents It
ARP Spoofing / ARP Poisoning — attacker sends forged ARP replies to poison the ARP cache of a victim host or gateway DAI validates the sender IP and sender MAC in every ARP packet against the DHCP snooping binding table; mismatches are dropped and logged to syslog
Man-in-the-Middle (MitM) Attack — traffic between two hosts is silently intercepted, read, or modified by the attacker Because forged ARP replies are dropped before cache poisoning occurs, the attacker's MAC never enters victim ARP caches. Use SSH and HTTPS for defence-in-depth.
ARP Flood / Denial of Service — attacker floods the network with high-rate ARP packets to overwhelm switches or hosts DAI rate limiting restricts ARP packets per second on untrusted ports; ports exceeding the rate are err-disabled
Gratuitous ARP abuse — unsolicited ARP replies used to silently update ARP caches without a prior ARP request Gratuitous ARP packets on untrusted ports are validated against the binding table just like any other ARP packet

Related pages: DHCP Snooping | DHCP How It Works | Port Security | MAC Addresses | MAC vs IP Addresses | VLANs Overview | Access & Trunk Ports | ARP & arp -a | ACL Overview | DHCP Snooping & DAI Lab

2. ARP Background – Why ARP Is Vulnerable

Before understanding DAI, you need a clear picture of how ARP works and where its trust model breaks down.

2.1 Normal ARP Operation

Step Action Frame Type
1 Host A wants to send a packet to 192.168.1.20 but does not know its MAC address. It broadcasts an ARP Request: "Who has 192.168.1.20? Tell 192.168.1.10." Broadcast (FF:FF:FF:FF:FF:FF)
2 Host B (192.168.1.20) replies with an ARP Reply: "192.168.1.20 is at AA:BB:CC:DD:EE:FF." Unicast to Host A
3 Host A stores this IP-to-MAC mapping in its ARP cache and uses it for subsequent frames destined for 192.168.1.20

2.2 ARP Spoofing Attack Flow

Step Attacker Action Result on Victim
1 Attacker (192.168.1.99, MAC: EE:EE:EE:EE:EE:EE) sends a forged gratuitous ARP reply to Host A claiming: "192.168.1.1 (gateway) is at EE:EE:EE:EE:EE:EE" Host A's ARP cache maps the gateway IP to the attacker's MAC
2 Attacker also sends a forged ARP reply to the gateway claiming: "192.168.1.10 (Host A) is at EE:EE:EE:EE:EE:EE" Gateway's ARP cache maps Host A's IP to the attacker's MAC
3 Attacker forwards traffic between Host A and gateway, reading or modifying it silently Full man-in-the-middle — both parties are unaware. Detect with Wireshark or show mac address-table monitoring.

See ARP Tables (arp -a) for how to inspect ARP cache entries on a host or router and detect spoofing indicators.

3. How DAI Works – The Validation Process

DAI operates at the switch level. When enabled on a VLAN, the switch intercepts every ARP packet arriving on untrusted ports in that VLAN and performs a validation check before deciding whether to forward or drop it.

3.1 DAI Decision Flow

Step DAI Action Outcome if Check Fails
1 ARP packet arrives on a switch port
2 Is the port trusted? If yes → forward without inspection (go to end). If no → continue to Step 3
3 Does a static ARP ACL match this packet? If ACL permits → forward. If ACL denies → drop. If no ACL entry → continue to Step 4
4 Look up the sender IP address in the DHCP snooping binding table. Does an entry exist? If no entry found → drop (unless DHCP snooping is not enabled, in which case all ARP on untrusted ports is dropped without an ARP ACL)
5 Does the sender MAC in the ARP packet match the MAC in the binding table entry for that IP? If mismatch → drop and log to syslog; attacker detected
6 Does the ingress port match the port recorded in the binding table for that IP/MAC pair? If mismatch → drop and log
7 All checks passed → forward the ARP packet

3.2 The DHCP Snooping Binding Table

The DHCP snooping binding table is the database DAI relies on. It is built automatically when DHCP Snooping is enabled — every time a host successfully completes a DHCP exchange, the switch records:

Field Recorded Source Used by DAI to Validate
IP Address DHCP ACK (yiaddr field). See How DHCP Works. Sender IP in ARP packet must match
MAC Address DHCP ACK (chaddr field) Sender MAC in ARP packet must match
VLAN Ingress port VLAN ARP must arrive on a port in the correct VLAN
Interface Switch port the DHCP exchange was seen on ARP must arrive on the same interface
Lease Time DHCP ACK (lease field) Entries expire when the DHCP lease expires

View the binding table with: show ip dhcp snooping binding. See DHCP Server Configuration for how DHCP leases are assigned.

4. Trusted vs Untrusted Ports

Every switch port is either trusted or untrusted for DAI purposes. This is independent of (but complements) the DHCP snooping trusted/untrusted port configuration.

Port Type DAI Behaviour Typical Use
Untrusted (default) All ARP packets are intercepted and validated against the binding table or ARP ACL. Invalid packets are dropped and logged to syslog. Access ports connected to end-user devices (PCs, printers, IP phones)
Trusted ARP packets are forwarded without inspection. The switch trusts the device on this port to send only legitimate ARP. Uplink trunk ports to other switches, router ports, DHCP server ports, and inter-switch trunk links. See Layer 3 Switch Routing.

Security principle: Trust should be granted only to infrastructure devices you control. End-user access ports should always remain untrusted. Granting trust to an access port defeats DAI entirely for that port.

Important: In a multi-switch environment, the uplink/trunk ports between switches must be configured as DAI trusted on both switches. If they are left untrusted, legitimate ARP traffic between switches will be dropped because the DHCP snooping binding table on one switch does not contain entries from another switch's DHCP exchanges.

5. ARP ACLs – DAI for Static IP Hosts

Hosts with statically configured IP addresses never go through a DHCP exchange, so they have no entry in the DHCP snooping binding table. Without an ARP ACL, DAI would drop all ARP packets from these hosts on untrusted ports.

The solution is a static ARP ACL — a manually configured permit entry that maps a specific IP address to a specific MAC address. DAI checks ARP ACLs before consulting the DHCP snooping binding table, so a matching permit entry allows the static-IP host's ARP traffic through.

Scenario Solution
End device uses DHCP DHCP snooping binding table is populated automatically — no ARP ACL needed. See DHCP Server Configuration.
End device uses a static IP address Create an ARP ACL with a static permit entry for that IP/MAC pair
Router or Layer 3 device on a trusted uplink Configure the port as DAI trusted — ARP ACL not required

5.1 ARP ACL Configuration Example

! Create an ARP ACL for a static IP host
Switch(config)# arp access-list STATIC_HOSTS
Switch(config-arp-nacl)# permit ip host 192.168.1.50 mac host AA:BB:CC:DD:EE:11
Switch(config-arp-nacl)# permit ip host 192.168.1.51 mac host AA:BB:CC:DD:EE:22
Switch(config-arp-nacl)# exit

! Apply the ARP ACL to VLAN 10
Switch(config)# ip arp inspection filter STATIC_HOSTS vlan 10

6. DAI Rate Limiting

Even if ARP packets are valid, a host sending thousands of ARP packets per second could overload the switch CPU (since ARP validation is a software process). DAI rate limiting protects against ARP-based DoS attacks by setting a maximum number of ARP packets per second on an interface. If a port exceeds the limit, the switch places it in err-disabled state. Check port state with show interfaces.

Parameter Default Notes
Rate limit on untrusted ports 15 packets per second (pps) Recommended default — sufficient for normal end-device ARP activity
Rate limit on trusted ports No limit (none) by default Can be set manually if needed for uplink protection
Burst interval 1 second The window over which ARP packets are counted
Action when limit exceeded Port placed in err-disabled state Port must be manually re-enabled or auto-recovery configured. Verify with show interfaces <int> status.

Recovering an err-disabled port: 

! Manual recovery
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

! Automatic recovery (optional)
Switch(config)# errdisable recovery cause arp-inspection
Switch(config)# errdisable recovery interval 300

7. Optional DAI Validation Checks

By default, DAI only validates the sender IP and sender MAC against the binding table. Cisco IOS supports three additional optional validation checks that can be enabled independently.

Optional Check What It Validates Drops When
src-mac Compares the Ethernet header source MAC to the ARP sender hardware address (SHA) field inside the ARP payload They do not match — indicates a forged or malformed ARP frame
dst-mac For ARP replies: compares the Ethernet header destination MAC to the ARP target hardware address (THA) field They do not match — indicates a potentially forged ARP reply
ip Checks that ARP packet IP addresses are valid — not 0.0.0.0, 255.255.255.255, multicast, or otherwise invalid Invalid/unexpected IP addresses are found in the ARP payload 
! Enable optional DAI validation checks (can combine all three)
Switch(config)# ip arp inspection validate src-mac dst-mac ip

Note: Each time you issue the ip arp inspection validate command, it replaces the previous setting — it does not add to it. Always specify all desired checks in a single command.

8. DAI Configuration – Step by Step

The following is a complete DAI configuration for a switch with VLAN 10, where access ports are untrusted and the uplink to the distribution switch is trusted.

8.1 Prerequisites – DHCP Snooping Must Be Enabled First

! Step 1: Enable DHCP snooping globally
Switch(config)# ip dhcp snooping

! Step 2: Enable DHCP snooping on the VLAN(s) DAI will protect
Switch(config)# ip dhcp snooping vlan 10

! Step 3: Trust the uplink toward the DHCP server
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip dhcp snooping trust
Switch(config-if)# exit

8.2 Enable DAI on the VLAN

! Enable DAI on VLAN 10
Switch(config)# ip arp inspection vlan 10

8.3 Configure Trusted Uplink Ports

! Trust the uplink to the distribution/core switch
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip arp inspection trust
Switch(config-if)# exit

8.4 Configure Rate Limiting on Access Ports

! Apply rate limiting to access ports (optional but recommended)
Switch(config)# interface range GigabitEthernet0/1 - 20
Switch(config-if-range)# ip arp inspection limit rate 100
Switch(config-if-range)# exit

8.5 Enable Optional Validation Checks

! Enable all three optional checks (specify all in one command)
Switch(config)# ip arp inspection validate src-mac dst-mac ip

8.6 Add an ARP ACL for Static IP Hosts (if needed)

! ARP ACL for a static-IP server on VLAN 10
Switch(config)# arp access-list STATIC_HOSTS
Switch(config-arp-nacl)# permit ip host 192.168.10.5 mac host 00:1A:2B:3C:4D:5E
Switch(config-arp-nacl)# exit
Switch(config)# ip arp inspection filter STATIC_HOSTS vlan 10

For a complete guided walkthrough, see the DHCP Snooping & DAI Configuration Lab.

9. DAI Verification Commands

Command Output / Purpose
show ip arp inspection Global DAI status — VLANs with DAI enabled, forwarded/dropped packet counts, optional checks enabled
show ip arp inspection vlan <id> DAI statistics per VLAN — packets forwarded, dropped (by failure type), and DHCP drops
show ip arp inspection interfaces Per-interface trust state, rate limit configured, rate limit burst, and current packet rate
show ip arp inspection statistics Detailed forwarded/dropped counts broken down by drop reason (invalid MAC, invalid IP, binding mismatch, etc.)
show ip dhcp snooping binding Displays the DHCP snooping binding table — the database DAI uses for ARP validation
show arp access-lists Lists all configured ARP ACLs and their permit/deny entries
show ip arp inspection log Log of recent DAI drops — source IP, source MAC, VLAN, port, and reason for drop
show running-config | section arp All DAI-related configuration including ARP ACLs and inspection settings

10. DAI in a Multi-Switch Environment

In a network with multiple switches, DAI must be configured consistently across all switches that share the protected VLANs. There are several key points to keep in mind:

Consideration Detail
Trunk ports between switches Must be configured as DAI trusted on both ends. If left untrusted, ARP packets originating from hosts on the remote switch will be dropped because the local switch has no binding table entry for them
DHCP snooping binding synchronisation Each switch maintains its own binding table. A host's DHCP lease is only in the binding table of the switch it is directly connected to — not in upstream switches (which is why uplinks must be trusted)
Rate limiting on trunk ports Trusted ports have no rate limit by default. If you want to protect uplinks from ARP floods arriving from a compromised downstream switch, manually configure a higher rate limit on the trunk
Routers and Layer 3 SVIs Router interfaces participating in the VLAN should be on trusted ports, or a static ARP ACL must be created for the router's IP/MAC pair since routers do not use DHCP on their own interfaces

11. DAI vs DHCP Snooping – Relationship Summary

Feature DHCP Snooping Dynamic ARP Inspection
What it protects DHCP exchanges — prevents rogue DHCP servers and DHCP starvation. See DHCP Snooping. ARP exchanges — prevents ARP spoofing and MitM attacks
What it builds The binding table (IP + MAC + port + VLAN + lease) Uses the binding table built by DHCP snooping
Dependency Independent — can be enabled without DAI Depends on DHCP snooping (or ARP ACLs for static hosts)
Layer Layer 2 / Layer 3 (intercepts DHCP at Layer 2) Layer 2 (intercepts ARP at Layer 2)
Trusted/untrusted ports Yes — DHCP server uplinks are trusted Yes — switch uplinks and infrastructure ports are trusted
Typical deployment order Enable first — DAI requires the binding table DHCP snooping creates Enable second — after DHCP snooping is running and the binding table is populated

See DHCP Snooping for full configuration and DHCP Snooping & DAI Lab for a combined hands-on walkthrough. Complement DAI with Port Security to lock down MAC addresses on access ports.

12. DAI Quick-Reference Summary

DAI Concept Key Fact
Full name Dynamic ARP Inspection
Attack prevented ARP spoofing / ARP poisoning / Man-in-the-Middle. See ARP & arp -a.
Validation database DHCP snooping binding table (or static ARP ACL)
Default port trust All ports are untrusted by default
Trusted ports — ARP behaviour Forwarded without inspection
Untrusted ports — ARP behaviour Validated against binding table; invalid packets dropped and logged to syslog
Default rate limit (untrusted) 15 ARP packets per second
Action when rate limit exceeded Port placed in err-disabled state. Verify with show interfaces.
Static IP host support Requires a static ARP ACL (no DHCP = no binding table entry)
Optional validation checks src-mac, dst-mac, ip (all disabled by default)
Enable DAI on VLAN ip arp inspection vlan <id>
Trust a port ip arp inspection trust (interface mode)
View DAI status show ip arp inspection
View binding table show ip dhcp snooping binding
View DAI config show running-config | section arp

Test Your Knowledge – DAI Quiz

1. What is the primary purpose of Dynamic ARP Inspection (DAI)?

Correct answer is B. DAI validates ARP packets arriving on untrusted switch ports against the DHCP snooping binding table. If the sender IP and sender MAC in the ARP packet do not match the binding table entry, the packet is dropped — preventing ARP spoofing and man-in-the-middle attacks. See ARP & arp -a for how to inspect ARP caches directly.

2. Which database does DAI primarily use to validate ARP packets?

Correct answer is C. DAI consults the DHCP snooping binding table, which maps IP addresses to MAC addresses, switch ports, and VLANs based on observed DHCP exchanges. This is why DHCP snooping must be enabled before DAI for DHCP-assigned hosts.

3. By default, how are switch ports configured for DAI?

Correct answer is A. All switch ports are untrusted for DAI by default. You must explicitly configure ports as trusted using ip arp inspection trust in interface configuration mode. Uplink trunk ports to other switches, routers, and DHCP servers should be trusted.

4. A host has a statically assigned IP address and does not use DHCP. What must you configure to allow its ARP traffic through DAI on an untrusted port?

Correct answer is D. Static IP hosts never complete a DHCP exchange, so no binding table entry is created for them. A static ARP ACL with a permit ip host <IP> mac host <MAC> entry tells DAI to allow ARP packets from that specific IP/MAC pair without requiring a binding table entry.

5. What is the default DAI rate limit on untrusted ports?

Correct answer is B. The default DAI rate limit on untrusted ports is 15 ARP packets per second. If a port exceeds this rate, it is placed in err-disabled state to protect the switch CPU from ARP flood attacks. Trusted ports have no rate limit by default. Check port state with show interfaces.

6. In a two-switch topology (SW1 and SW2) with DAI enabled on both, what must be configured on the inter-switch trunk port?

Correct answer is C. Each switch has its own DHCP snooping binding table containing only entries for hosts directly connected to it. ARP packets forwarded across the trunk from hosts on the remote switch will not match the local binding table. Marking the trunk as DAI trusted on both ends tells DAI to forward these packets without validation.

7. Which optional DAI validation check compares the Ethernet frame's source MAC address to the ARP payload's sender hardware address (SHA)?

Correct answer is A. The src-mac optional check validates that the source MAC address in the outer Ethernet header matches the sender hardware address (SHA) inside the ARP payload. A mismatch indicates a forged or malformed ARP frame and the packet is dropped. Capture and analyse with Wireshark.

8. What happens to a switch port when it exceeds the DAI ARP rate limit?

Correct answer is D. When a port exceeds the DAI rate limit, the switch places the entire port in err-disabled state — shutting it down completely. The port must be manually re-enabled with shutdown followed by no shutdown, or automatic recovery can be configured with errdisable recovery cause arp-inspection. Verify port state with show interfaces <int> status.

9. What is the correct order of feature deployment when using both DHCP snooping and DAI on the same switch?

Correct answer is B. DHCP snooping must be enabled and the binding table must be populated before DAI is useful. If DAI is enabled without DHCP snooping and without ARP ACLs, all ARP packets on untrusted ports will be dropped because there are no binding table entries to validate against. Enable DHCP snooping first, let hosts renew their DHCP leases to populate the table, then enable DAI. See DHCP Snooping & DAI Lab.

10. An attacker sends a forged ARP reply claiming that the gateway IP 192.168.1.1 maps to the attacker's MAC EE:EE:EE:EE:EE:EE. The DHCP snooping binding table shows 192.168.1.1 → AA:AA:AA:AA:AA:AA on Gi0/24 (trusted uplink). The forged ARP arrives on untrusted port Gi0/5. What does DAI do?

Correct answer is C. DAI looks up the sender IP (192.168.1.1) in the binding table and finds the legitimate MAC is AA:AA:AA:AA:AA:AA. The ARP packet claims the MAC is EE:EE:EE:EE:EE:EE — a mismatch. DAI drops the packet and logs the violation to syslog. This is exactly the ARP spoofing scenario DAI is designed to prevent. Note that the gateway entry in the binding table here is a static ARP ACL entry (since the gateway uses a static IP, not DHCP). Use arp -a on the victim host to confirm its cache was not poisoned.

← Back to Home