26-3
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 26 Configuring Dynamic ARP Inspection
Information About Dynamic ARP Inspection
Interface Trust States and Network Security
DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces
bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation
process.
In a typical network configuration, you configure all switch ports conne cted to host ports as untrusted
and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets
entering the network from a given switch bypass the security check. N o other validation is needed at any
other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection
trust interface configuration command.
Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity.
In Figure 26-2, assume that both Switch A and Switch B are running DAI on the VLAN that includes
Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to
Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between
Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity
between Host 1 and Host 2 is lost.
Figure 26-2 ARP Packet Validation on a VLAN Enabled for DAI
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host
2, if the link between the switches is configured as trusted). This condition can occur even though Switch
B is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the
ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the
network from poisoning the caches of the hosts that are co nnected to a switch running DAI.
If some switches in a VLAN run DAI and other switches do not, co nfigure the interfaces connecting
these switches as untrusted. However, to validate the bindings of packets from non-DAI switches,
configure the switch running DAI with ARP ACLs. When you cannot determine the bindi ngs, at Layer
3 isolate switches running DAI from switches not running DAI switches.
DHCP server
Switch A Switch B
Host 1 Host 2
Port 1 Port 3
111751