Cisco Catalyst 4500 Series Software Configuration Manual page 1532

Configuring Dynamic ARP Inspection
Figure 58-3
DHCP server
Host 1
DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address
Note
bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit
ARP packets that have dynamically assigned IP addresses. For configuration information, see
Chapter 60, "Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts."
For information on how to configure DAI when only one switch supports the feature, see the
"Configuring ARP ACLs for Non-DHCP Environments" section on page
To configure DAI, perform this task on both switches:
Command
Step 1
Switch# show cdp neighbors
Step 2
Switch# configure terminal
Step 3
Switch(config)# [no] ip arp inspection vlan
vlan-range
Step 4
Switch(config)# interface interface-id
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
58-6
ARP Packet Validation on a VLAN Enabled for DAI
Switch A
Port 1 Port 3
Chapter 58
Switch B
Host 2
Purpose
Verifies the connection between the switches.
Enters global configuration mode.
Enables DAI on a per-VLAN basis. By default, DAI is disabled
on all VLANs.
To disable DAI, use the no ip arp inspection vlan vlan-range
global configuration command.
For vlan-range, specify a single VLAN identified by VLAN ID
number, a range of VLANs separated by a hyphen, or a series of
VLANs separated by a comma. The range is 1 to 4094.
Specify the same VLAN ID for both switches.
Specifies the interface connected to the other switch, and enter
interface configuration mode.
Configuring Dynamic ARP Inspection
58-11.