First page Back Continue Last page Image
Dynamic ARP Inspection
- Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN
- Intercepting all ARP Requests and Replies on untrusted ports
- Verifying each intercepted packet for a valid IP-to-MAC binding
- Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning
- Error-disabling the interface if the configured DAI number of ARP packets is exceeded
Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by: