CHAPTER
32-1
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
32
Understanding and Configuring Dynamic ARP Inspection
This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst4500 series
switch.
This chapter includes the following major sections:
Overview of Dynamic ARP Inspection, page 32-1
Configuring Dynamic ARP Inspection, page 32-5
Note For complete syntax and usage information for the switch commands used in this chapter, refer to the
Catalyst 4500 Series Switch Cisco IOS Command Reference and related publications at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/index.htm.

Overview of Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP)
packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with
invalid MAC-IP pairs. This capability protects the network from certain “man-in-the-middle” attacks.
This section contains the following subsections:
ARP Cache Poisoning, page 32-2
Purpose of Dynamic ARP Inspection, page 32-2
Interface Trust State, Security Coverage and Network Configuration, page 32-3
Relative Priority of Static Bindings and DHCP Snooping Entries, page 32-4
Logging of Dropped Packets, page 32-4
Rate Limiting of ARP Packets, page 32-4
Port Channels and Their Behavior, page 32-4