Operations

DAI inspects the sender MAC and sender IP fields of ARP messages received on untrusted ports and checks that there is a matching entry in the DHCP snooping binding table.

• If there is a matching entry, the ARP message is forwarded normally.

• If there isn't a matching entry, the ARP message is discarded.

DAI doesn't inspect messages received on trusted ports. They are forwarded as normal.

ARP ACLs can be manually configured to map IP addresses/MAC addresses for DAI to check.

• Useful for hosts that don't use DHCP.

DAI can be configured to perform more in-depth checks also, but these are optional.

Like DHCP snooping, DAI also supports rate-limiting to prevent attackers from overwhelming the switch with ARP messages.

• DHCP snooping and DAI both require work from the switch's CPU.

• Even if the attacker's messages are blocked, they can overload the switch CPU with ARP messages.