© Copyright Lenovo 2016
Figure 36. ARP Packet Validation on a VLAN Enabled for DAI
DHCP server
Switch A
Port 1
Port 1
Port 2
Port 3
Host 1
If Switch A is not running DAI, Host 1 can easily poison the ARP caches of Switch
B and Host 2, if the link between the switches is configured as trusted. This
condition can occur even though Switch B is running DAI.
The best option for the setup from Figure
switches and to have the link between the switches configured as trusted.
In cases in which some switches in a VLAN run DAI and other switches do not,
configure the interfaces connecting such switches as untrusted. However, to
validate the bindings of packets from switches where DAI is not configured,
configure static DHCP snooping binding entries on the switch running DAI. When
you cannot determine such bindings, isolate switches running DAI at Layer 3 from
switches not running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running
DAI do not poison the ARP caches of other hosts in the network. However, DAI
does not prevent hosts in other portions of the network connected through a
trusted interface from poisoning the caches of the hosts that are connected to a
switch running DAI.
Switch B
Port 2
Port 3
Host 2
36 is to have DAI running on both
Chapter 24: Dynamic ARP Inspection
407