User's Manual
26-3
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 26 Configuring Dynamic ARP Inspection
Information About Dynamic ARP Inspection
Interface Trust States and Network Security
DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces 
bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation 
process. 
In a typical network configuration, you configure all switch ports connected to host ports as untrusted 
and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets 
entering the network from a given switch bypass the security check. No other validation is needed at any 
other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection 
trust interface configuration command.
Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be 
trusted can result in a loss of connectivity. 
In Figure 26-2, assume that both Switch A and Switch B are running DAI on the VLAN that includes 
Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to 
Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between 
Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity 
between Host 1 and Host 2 is lost.
Figure 26-2 ARP Packet Validation on a VLAN Enabled for DAI
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the 
network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host 
2, if the link between the switches is configured as trusted). This condition can occur even though Switch 
B is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the 
ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the 
network from poisoning the caches of the hosts that are connected to a switch running DAI.
If some switches in a VLAN run DAI and other switches do not, configure the interfaces connecting 
these switches as untrusted. However, to validate the bindings of packets from non-DAI switches, 
configure the switch running DAI with ARP ACLs. When you cannot determine the bindings, at Layer 
3 isolate switches running DAI from switches not running DAI switches. 
DHCP server
Switch A Switch B
Host 1
Host 2
Port 1 Port 3
111751










