Chapter 38
Configuring Dynamic ARP Inspection
DAI ensures that only valid ARP requests and responses are relayed. The router performs these
activities:
•
•
•
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a
trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if
DHCP snooping is enabled on the VLANs and on the router. If the ARP packet is received on a trusted
interface, the router forwards the packet without any checks. On untrusted interfaces, the router forwards
the packet only if it is valid.
DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with
statically configured IP addresses (see
The router logs dropped packets (see the
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when
the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet
header (see the
Interface Trust States and Network Security
DAI associates a trust state with each interface on the router. Packets arriving on trusted interfaces
bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation
process.
In a typical network configuration, you configure all router ports connected to host ports as untrusted
and configure all router ports connected to routers as trusted. With this configuration, all ARP packets
entering the network from a given router bypass the security check. No other validation is needed at any
other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection
trust interface configuration command.
Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
Caution
trusted can result in a loss of connectivity.
In
Figure
Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to
Router A, only Router A binds the IP-to-MAC address of Host 1. Therefore, if the interface between
Router A and Router B is untrusted, the ARP packets from Host 1 are dropped by Router B. Connectivity
between Host 1 and Host 2 is lost.
OL-4266-08
Intercepts all ARP requests and responses on untrusted ports
Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
Drops invalid ARP packets
"Enabling Additional Validation" section on page
38-2, assume that both Router A and Router B are running DAI on the VLAN that includes
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
"Applying ARP ACLs for DAI Filtering" section on page
"Logging of Dropped Packets" section on page
Understanding DAI
38-5).
38-11).
38-8).
38-3