January 30, 2023
Chicago 12, Melborne City, USA

Dynamic ARP inspection

What is Dynamic ARP inspection:


Dynamic ARP Address Resolution Protocol (arp) Inspection (DAI) is a security measure that validates ARP packets in an enterprise network.

The DAI leaves the network administrator command ARP packet MAC to IP in the address packet.

This security attribute protects the network from certain man-in-the-middle injections.

The following subsections in this section. 

  • Cache poisoning.
  • Dynamic inspection.
  • Trust state security.
  • Coverage Configuration.
  • Relative priority static binding.
  • Denied Packets.
  • Rate Limiting of ARP Packets.
  • Port Channels and behavior.

Cache poisoning:

To attack routers and hosts connected to your Layer 2 network, you can poison their ARP caches.


A malicious user might poison ARP caches of systems connected to the so-called network to prevent traffic intended for others.

Dynamic inspection:

Next to that mentioned in the previous section, a switch must ensure that legitimate ARP responses aren’t relayed to prevent a similar attack.

DAI fights these attacks by intercepting all ARP requests and responses.

Evaluation of ARP:

DAI evaluates the validity of an ARP packet by validating MAC addresses stored in the Database.

Trust state security:

  • DAI associates a trusted state with each interface on the system.
  • Packets arriving on trusted interfaces bypass all DAI validation, while those arriving on untrusted interfaces go through the DAI validation.
  • A network configuration for DAi typically requires no ports to become hostile, but all ports can become aggressive to get switched.

Coverage Configuration:

  1. Two Switches Support Dynamic ARP Inspection.
  2. One Switch Supports Dynamic ARP Inspection.
  • Two Switches Support Dynamic ARP Inspection: Assume that there are two switches, S1 and S2, with hosts H1 and H2 connected, respectively.
  • S1 and S2 run DAI on VLAN 1, where the hosts are present.
  • The S1 interface, FA6 /3, is connected to the S2 interface type, FA3 /3, and a DHCP server is connected to S1.
  • Both hosts lay claim to the same IP address from a DHCP server.
  1. One Switch Supports Dynamic ARP Inspection:
  • If switch S2 does not support network MAC address(DAI) and(DHCP), you are snooping or dynamic host configuration FA6-3 set as untrusted.
  • To prevent this possibility, you will need to configure interface FA6-3 as untrusted.
  • To protect ARP packets on your account, you must set up an ARP ACL and apply it to VLAN 1.

Relative priority static binding:

  • DAI prepares its Database of valid MAC address to IP address bindings through DHCP snooping.
  • It also validates ARP packets against statically defined ARP ACLs.
  • Note that the ARP ACLs are the ones with precedence over the DHCP snooping Database.
  • ARP packets are fixed against user-configured ARP ACLs.

Denied Packets:

  • DAI maintains a log of IP ARP packets.
  • Log entries are cleared only when they are generated at a controlled pace.

Rate Limiting of ARP Packets:

  • DAID performs validation checks in the CPU, so the number of incoming ARP packets is limited to prevent service attacks.
  • By default, the rate for untrusted interfaces is set to 15 packets per second, whereas trusted interfaces have no rate limit.
  • If the incoming ARP packets exceed the specified limit, the port is disabled.
  • Enabling errdisable recovery will allow you to turn on automatic port closure after a specific time.

Port Channels and behavior:

  • A given physical port can join the channel only when the trust state of the physical port and the medium are equal. Otherwise, the physical port remains suspended in the medium.
  • A channel inherits its trust state from the first physical port that joined it.
  • There’s a different level of trust for the physical port than the second channel.
  • The hourly limit on port connections is incredibly high.

Why do we need an ARP inspection:

Let’s assume we’re in the First Condition of our first example.

In this case, another PC, PC3, could send Gratuitous ARP packets or an ARP Reply that an ARP Request to reconfigure.

Unknowingly, PC2 will edit its ARP cache and change the MAC address of PC1 to PC3.

PC3 can spoof PC2 as a different IP address by lying about its own MAC address.

How Does DAI Prevent a Man-in-the-Middle Attack:

With the Dynamic ARP Inspection (DAI) function, the switch compares incoming ARP and should ensure that entries match.

  • Any configured ARP ACLs
  • DHCP Snooping Binding Table.

How does ARP work:

  • When you enable DAI on a VLAN, by default, all member ports are allowed.
  • You must manually configure trusted ports.
  • In a typical network setup, ports that are related to host ports are preferable.
  • You configure ports that are related to other switches or routers as trusted.
  • DAI conducts compliance checks based on binding information extracted from a trusted database.
  • The binding Database for DAI is the ARP table and the DHCP snooping table, which supports DAI, DHCP, and IP Source Guard.
  • DAI checks, via an ARP request packet, the source IP address and source MAC address against the ARP table.
  • For an ARP reply packet, DAI checks, IP, MAC, destination MAC addresses, the ARP table, and mask.

 Testing is that DAI is working correctly:


Confirm that dynamic ARP inspection (DAI) is working on the switch.


From an appliance connected to the switch, send some ARP message requests.

The number of ARP packets received and inspected per interface, such as how many packages passed and how many failed.

The switch compares the ARP requests and replies to the DHCP snooping Database.

How to prevent ARP poisoning:

To stop an ARP Poisoning.

  • Summit all
  • BlackDiamond all
  • EXOS all

The ARP Validation command uses the DHCP-Binding Database, so enable DHCP Snooping by utilizing the power below.

enable ip-security dhcp-snooping vlan port violation-action drop-packet

Use the following command to configure ARP validation on an Intel system.

enable ip-security arp validation VLAN ports violation-action drop-packet

How to prevent IP-spoofing of a VRRP gateway:

  1. VOSS
  2. VSP 9000
  • You can prevent VLAN logical IP spoofing by blocking the external use of the device’s IP address.
  • A configurable option is available for each port that detects a duplicate IP address and blocks all packets with a destination address.
  • If an ARP packet contains the same source Internet Protocol (IP) address as the logical VLAN IP address of the receiving port by the port hardware, the hardware discards traffic from that port.

If you use Split MultiLink Trunking (SMLT), configure this option on both SMLT aggregation devices to prevent connectivity issues.

What is ARP Spoofer?

The ARP Spoofer feature of the Ipanema network allows the Ipanema system to send spoofed ARP replies to the LAN of CPE.

Leave a Reply

Your email address will not be published. Required fields are marked *