Understanding DAI
Figure 38-2 ARP Packet Validation on a VLAN Enabled for DAI
DHCP server
Host 1
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If Router A is not running DAI, Host 1 can easily poison the ARP cache of Router B (and Host
2, if the link between the routers is configured as trusted). This condition can occur even though
Router B is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a router running DAI do not poison the
ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the
network from poisoning the caches of the hosts that are connected to a router running DAI.
In cases in which some routers in a VLAN run DAI and other routers do not, configure the interfaces
connecting such routers as untrusted. However, to validate the bindings of packets from routers where
DAI is not configured, configure ARP ACLs on the router running DAI. When you cannot determine
such bindings, isolate routers running DAI at Layer 3 from routers not running DAI. For configuration
information, see the
Depending on the setup of the DHCP server and the network, it might not be possible to validate a given
Note
ARP packet on all routers in the VLAN.
Rate Limiting of ARP Packets
The router performs DAI validation checks, which rate limits incoming ARP packets to prevent a
denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps).
Trusted interfaces are not rate limited. You can change this setting by using the ip arp inspection limit
interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the router places the port in the
error-disabled state. The port remains in that state until you intervene. You can use the errdisable
recovery global configuration command to enable error disable recovery so that ports automatically
emerge from this state after a specified timeout period.
For configuration information, see the
Relative Priority of ARP ACLs and DHCP Snooping Entries
DAI uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
38-4
A
Port 6/3
Port 3/3
"Sample Two: One Switch Supports DAI" section on page
Chapter 38
B
Host 2
"Configuring ARP Packet Rate Limiting" section on page
Configuring Dynamic ARP Inspection
38-21.
38-9.
OL-4266-08