DAI is used to prevent invalid or gratuitous ARP requests in the same VLAN.
When ARP is used correctly, a host sends a broadcast to locate the MAC of a destination host. The Destinations host replies with it's MAC and the originator caches that MAC address and applies it to the Dest field in it's packets.
ARP spoofing is where an attacker appears as the Destination host by supplying it's MAC address against the legitimate host's IP address. The Originating host caches the attacker's MAC and directs packets to the rogue Destination instead of the legitimate Destination.
DAI intercepts packets on Untrusted ports, packets are then validated for IP-to-MAC bindings that have been gathered from DHCP Snooping.
Denied packets are dropped and/or logged. Incoming ARP requests from Trusted ports are not inspected. Like DHCP you can also rate limit the ARP requests per second. Rate limiting can help prevent port scanning.
In general configure all Access ports as Untrusted. Configure all switch trunks as Trusted so that no further inspection of packets is required as the request travels through the Access-Distribution- Core of your infrastructure.
Enable DAI on a per VLAN basis:
SW1(config)#ip arp inspection vlan [id]
Define your trusted ports:
SW1(config-if)#ip arp inspection trust
NOTE - default configuration for ports is Untrusted.
Use the following commands to verify your config:
SW1#show ip arp inspection interfaces
- Displays interfaces, trust level, any rate limiting, and any bursts noted.
SW1#show ip arp inspection vlan 10
- Displays DAI state for the vlan (Enable/Disabled)
SW1#show ip dhcp snooping bindings
- Displays MAC-to-IP bindings.