User's Manual
CHAPTER
26-1
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
26
Configuring Dynamic ARP Inspection 
Finding Feature Information
Your software release may not support all the features documented in this chapter. For the latest feature 
information and caveats, see the release notes for your platform and software release. 
Use Cisco Feature Navigator to find information about platform support and Cisco software image 
support. To access Cisco Feature Navigator, go to 
http://www.cisco.com/go/cfn. An account on 
Cisco.com is not required.
Prerequisites for Dynamic ARP Inspection
  • Dynamic Address Resolution Protocol (ARP) inspection depends on the entries in the DHCP 
snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and 
ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically 
assigned IP addresses. 
Restrictions for Dynamic ARP Inspection
  • To use this feature, the switch must be running the LAN Base image.
Information About Dynamic ARP Inspection
Dynamic ARP Inspection
Dynamic ARP inspection (DAI) helps prevent malicious attacks on the switch by not relaying invalid 
ARP requests and responses to other ports in the same VLAN. 
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC 
address. For example, Host B wants to send information to Host A but does not have the MAC address 
of Host
 A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast 
domain to obtain the MAC address associated with the IP address of Host A. All hosts within the 
broadcast domain receive the ARP request, and Host A responds with its MAC address. However, 










