DAI Configuration Guidelines and Restrictions
DAI Configuration Example
282
NE2552E Application Guide for ENOS 8.4
When configuring DAI, follow these guidelines and restrictions:
DAI is an ingress security feature; it does not perform any egress checking.
DAI is not effective for hosts connected to switches that do not support DAI or
that do not have this feature enabled. Because man‐in‐the‐middle attacks are
limited to a single Layer 2 broadcast domain, separate the domain with DAI
checks from the one with no checking. This action secures the ARP caches of
hosts in the domain enabled for DAI.
DAI depends on the entries in the DHCP snooping binding database to verify
IP‐to‐MAC address bindings in incoming ARP requests and ARP responses.
For non‐DHCP environments, for each static IP address add a static DHCP
Snooping binding entry with the biggest lease time in order not to expire.
Ports belonging to a port‐channel must have the same trust state.
Following is the configuration for the example in Figure
SwitchA(config)# ip arp inspection vlan 2
SwitchA(config)# interface port 1-2
SwitchA(config-if)# ip arp inspection trust
SwitchA(config-if)# exit
SwitchA(config)# interface port 3
SwitchA(config-if)# no ip arp inspection trust
SwitchA(config-if)# exit
SwitchA(config)# ip arp inspection vlan 2
SwitchB(config)# ip arp inspection vlan 2
SwitchB(config)# interface port 2
SwitchB(config-if)# ip arp inspection trust
SwitchB(config-if)# exit
SwitchB(config)# interface port 3
SwitchB(config-if)# no ip arp inspection trust
SwitchB(config-if)# exit
SwitchB(config)# ip arp inspection vlan 2
30.