Mental model
ARP is hilariously trusting. Any host on the LAN can broadcast “I am 10.0.0.1, my MAC is X” and every other host updates its ARP cache. An attacker uses this to MITM the gateway:
- Attacker broadcasts a forged ARP: “I am 10.0.0.1 (the gateway), my MAC is bb:bb:bb:bb (the attacker’s MAC).”
- Every victim’s ARP table updates.
- Victims now send their outbound traffic to the attacker’s MAC.
- Attacker reads / modifies / forwards the traffic to the real gateway. Profit.
DAI fixes this by giving the switch a way to know which IP-to-MAC bindings are legitimate, and dropping ARPs that don’t match. The source of truth: the DHCP Snooping binding table.
How it depends on DHCP Snooping
DAI doesn’t have its own database. It uses DHCP Snooping’s binding table, which was already populated by observing DHCP exchanges:
| Client MAC | IP | Port | VLAN |
|---|---|---|---|
| aa:aa:aa:aa | 10.0.0.5 | Gi0/1 | 10 |
| bb:bb:bb:bb | 10.0.0.7 | Gi0/3 | 10 |
When an ARP packet arrives on a port:
- DAI extracts the sender IP and sender MAC from the ARP packet.
- Looks up the (IP, MAC, port) triple in the binding table.
- Match → forward normally. Mismatch → drop + log + (optional) shut the port.
This means an attacker on port Gi0/3 can claim their own IP (10.0.0.7), but can’t claim the gateway’s IP (10.0.0.1) because 10.0.0.1 isn’t in the binding table on Gi0/3.
Trusted vs untrusted ports
Like DHCP Snooping, DAI has the concept of trusted ports — typically uplinks where you can’t verify bindings:
- Trusted port — ARPs pass without checking. Use only for uplinks to other trusted switches.
- Untrusted port (default) — ARPs validated against the binding table.
Commands
! Step 1 — DHCP Snooping must be enabled first
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 10,20
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# ip dhcp snooping trust ! uplink
! Step 2 — Enable DAI on the same VLAN(s)
SW1(config)# ip arp inspection vlan 10,20
! Step 3 — Mark uplinks as DAI-trusted
SW1(config)# interface GigabitEthernet0/24
SW1(config-if)# ip arp inspection trust
! Step 4 (optional) — Rate-limit ARP on access ports
SW1(config)# interface range GigabitEthernet0/1 - 23
SW1(config-if-range)# ip arp inspection limit rate 15 ! 15 packets/sec
Static hosts (no DHCP)? Use ARP ACLs
DAI fails closed by default for hosts that didn’t use DHCP (servers, printers with static IPs). To explicitly whitelist them:
SW1(config)# arp access-list STATIC-HOSTS
SW1(config-arp-nacl)# permit ip host 10.0.0.50 mac host 0050.5600.aabb
SW1(config-arp-nacl)# permit ip host 10.0.0.51 mac host 0050.5600.aacc
SW1(config)# ip arp inspection filter STATIC-HOSTS vlan 10
Verification
SW1# show ip arp inspection
SW1# show ip arp inspection vlan 10
SW1# show ip arp inspection statistics
SW1# show ip arp inspection interfaces
show ip arp inspection statistics shows ARP packets forwarded, dropped, and the reason for drops — invaluable for confirming DAI is doing real work.
Layer-2 security stack — DAI is one piece
DAI is one of three Layer-2 defenses that work together:
| Feature | Defends against |
|---|---|
| Port Security | MAC flooding, unauthorized devices on a port |
| DHCP Snooping | Rogue DHCP servers handing out malicious gateways |
| DAI | ARP spoofing / poisoning attacks |
| IP Source Guard (IPSG) | IP spoofing — only allow traffic from legit (IP, MAC, port) bindings |
Deploy together for proper defense in depth. Skipping any one leaves a hole the others can’t cover.
Common mistakes
-
Enabling DAI without DHCP Snooping. DAI has no binding table → drops everything. Always configure DHCP Snooping first, validate it works, then add DAI.
-
Forgetting to trust uplinks. Without
ip arp inspection truston the uplink, ARPs from other trusted switches get inspected — which they shouldn’t be — and many get dropped. Always trust uplinks. -
Rate limit too aggressive. Default is 15 pps on access ports — plenty for normal use. If you set 2 pps, a normal client doing initial ARP discovery for printers, DNS, gateway, etc. gets err-disabled.
-
Static-IP hosts forgotten. A server with a static IP didn’t go through DHCP → no binding → DAI drops its ARPs → server unreachable. Use ARP ACLs to whitelist.
-
Trusting an access port. If you accidentally
ip arp inspection truston a user-facing port, that user can ARP-spoof anything. Trust only uplinks. -
Ignoring the err-disable risk. By default, exceeding the rate limit err-disables the port. In tight environments, this can be triggered by a misbehaving client. Pair with
errdisable recovery cause arp-inspection.
Lab to try tonight
- Set up one switch, two PCs in the same VLAN, with DHCP Snooping already working.
- Enable DAI:
ip arp inspection vlan <N>+ trust the uplink. - From PC-A, run any ARP-spoofing tool (e.g.
arpspooffrom dsniff suite) claiming to be the gateway. - From PC-B, run
arp -a(Windows) orip neigh(Linux). Without DAI, you’d see the attacker’s MAC for the gateway. With DAI, you don’t — the spoofed ARPs were dropped at the switch. - Check
show ip arp inspection statistics— DAI’s “drop” counter shows the blocked packets. - Bonus: capture on the inter-switch trunk with Wireshark. Confirm the spoofed ARPs never crossed.
Cheat strip
| Concept | Plain English |
|---|---|
| DAI | Inspects ARP packets, drops fakes |
| Binding table | Source of truth — comes from DHCP Snooping |
| Trusted port | ARPs pass without check — uplinks only |
| Untrusted port | Default — ARPs validated |
| Rate limit | Cap ARPs per second per port (default 15) |
| ARP ACL | Whitelist static-IP hosts manually |
| Layer-2 trio | Port Security + DHCP Snooping + DAI |
| Static hosts | Need ARP ACL or DAI will block their ARPs |