Operations

DAI inspects the sender MAC and sender IP fields of ARP messages received on untrusted ports and checks that there is a matching entry in the DHCP snooping binding table.

If there is a matching entry, the ARP message is forwarded normally.
If there isn't a matching entry, the ARP message is discarded.

DAI doesn't inspect messages received on trusted ports. They are forwarded as normal.

ARP ACLs can be manually configured to map IP addresses/MAC addresses for DAI to check.

Useful for hosts that don't use DHCP.

DAI can be configured to perform more in-depth checks also, but these are optional.

Like DHCP snooping, DAI also supports rate-limiting to prevent attackers from overwhelming the switch with ARP messages.

DHCP snooping and DAI both require work from the switch's CPU.
Even if the attacker's messages are blocked, they can overload the switch CPU with ARP messages.

PreviousARP Poisoning (Man-in-the-Middle)NextConfigurations

Last updated 1 year ago