User's Manual
26-5
Cisco IE 2000 Switch Software Configuration Guide
OL-25866-01
Chapter 26 Configuring Dynamic ARP Inspection
Information About Dynamic ARP Inspection
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for 
the show ip arp inspection log privileged EXEC command is affected. Dashes in the display appears in 
place of all data except the packet count and the time. No other statistics are provided for the entry. If 
you see this entry in the display, increase the number of entries in the log buffer or increase the logging 
rate.
Default Dynamic ARP Inspection Settings
Dynamic ARP Inspection Configuration Guidelines
  • DAI is an ingress security feature; it does not perform any egress checking.
  • DAI is not effective for hosts connected to switches that do not support DAI or that do not have this 
feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast 
domain, separate the domain with DAI checks from the one with no checking. This action secures 
the ARP caches of hosts in the domain enabled for DAI.
  • DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address 
bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to 
permit ARP packets that have dynamically assigned IP addresses. For configuration information, see 
Chapter 25, “Configuring DHCP.”
When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to 
deny packets.
  • DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
Ta b l e  26-1 Default Dynamic ARP Inspection Settings
Feature Default Setting
DAI Disabled on all VLANs.
Interface trust state All interfaces are untrusted.
Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces, assuming that 
the network is a switched network with a host 
connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
ARP ACLs for non-DHCP environments No ARP ACLs are defined.
Validation checks No checks are performed.
Log buffer When DAI is enabled, all denied or dropped ARP 
packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per 
second.
The logging-rate interval is 1 second.
Per-VLAN logging All denied or dropped ARP packets are logged.










