Dynamic ARP Inspection

dynamic arp inspection trusted untrusted

What is Dynamic ARP Inspection?

Dynamic ARP Inspection (DAI) is the security mechanism that prevents malicious ARP attacks by rejecting unknown ARP Packets. ARP attacks can be done as a Man-in-the-Middle Attack by an attacker. By capturing the traffic between two hosts, attacker poisons the ARP Cache and sends his/her own address as requested ip address. Dynamic ARP Inspection validates IP-MAC matchings.


Dynamic ARP Inspection (DAI) uses DHCP Snooping binding database that is created by DHCP Snooping by listening DHCP Messages between the nodes. According to the DHCP Snpping binding database, DAI decides. If there is a record about sender’s Ip and MAC address then it accepts the ARP Packet. If not, ARP packet is rejected. Instead of using DHCP Snooping, Static IP-MAC mappings can be also used.


How Does DAI Work?

 Dynamic ARP Inspection (DAI) uses Trust states for interfaces. There are two trust states for interfaces, these are:

  • Trusted
  • Untrusted

If an interface set as Trusted, DAI do not work fort his interface. But if it is an Untrusted, DAI precedures work and the MAC-IP matchings are checked.


In a network all the interfaces connected to the hosts are configured as Untrusted while the interfaces connected to the switches are configured as Trusted. By doing this, ARP Packets are checked if it is coming from a host device.


By the way, Dynamic ARP Inspection is done through VLANs. One or one more VLANs can be used fort his configuration.



As you can see above, if DAI is enabled, IP-MAC Binding Table is cheched and then if the incoming MAC address is in binding table, then this ARP Packet is accepted. If not, then the packet is discarded. Above, Host B and Host C is sending ARP packets including different MAC addresses maliciously. So, this is detected by Dynamic ARP Inspection Mechanism.

Dynamic ARP Inspection Configuration

To configure Dynamic ARP Inspection on Cisco switches, we will use the below simple switch topology:

dynamic arp inspection topology ipcisco

Here, we will configure DAI for VLAN 2 only. And hosts in VLAN 2 will be Untrusted. So, ARP packets coming from these interfaces will be checked. The other interfaces will configured as trusted interfaces.

So, let’s start to configure DAI.


Enabling Dynamic ARP Inspection

To enable ARP Inspection on VLAN 2, we will use “ip arp inspection vlan 2” command globally.


Switch A# configure terminal

Switch A(config)# ip arp inspection vlan 2



Setting Trusted interfaces

To set any interfaces as trusted we will use “ip arp inspection trust” command under that interface. On Swithc A, we will set FastEthernet 0/1 and FastEthernet 0/3 as Trusted. The remaining orts will be Untrusted by default.


Switch A(config)# interface fastethernet 0/1

Switch A(config-if)# ip arp inspection trust


Switch A(config)# interface fastethernet 0/3

Switch A(config-if)# ip arp inspection trust


Here, we have set these two interfaces as Trusted. The other reminings interface Fastethernet 0/2 remains as Untrusted. Because by default all interfaces are Untrusted.


Lesson tags: DAI
Back to: CCNA 200-301 > Security Fundamentals

Leave a Reply

Your email address will not be published. Required fields are marked *

IPCisco is the Winner of 2019 “Best Certification Study Journey” Category! We are also Finalist of 2020 & 2021 in Cisco IT Blog Awards!


CCNA 200-301

IPCisco on Social Media!