DELL N3000 User Manual

Snooping and Inspecting Traffic

Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and 

malicious ARP packets. DAI prevents a class of man-in-the-middle attacks 

where an unfriendly station intercepts traffic for other stations by poisoning 

the ARP caches of its unsuspecting neighbors. The malicious attacker sends 

ARP requests or responses mapping another station’s IP address to its own 

MAC address.
When DAI is enabled, the switch drops ARP packets whose sender MAC 

address and sender IP address do not match an entry in the DHCP snooping 

bindings database. You can optionally configure additional ARP packet 

validation.
When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical 

ports or LAGs) that are members of that VLAN. Individual interfaces are 

configured as trusted or untrusted. The trust configuration for DAI is 

independent of the trust configuration for DHCP snooping. 

If the network administrator has configured the option, DAI verifies that the 

sender MAC address equals the source MAC address in the Ethernet header. 

There is a configurable option to verify that the target MAC address equals 

the destination MAC address in the Ethernet header. This check applies only 

to ARP responses, since the target MAC address is unspecified in ARP 

requests. You can also enable IP address checking. When this option is 

enabled, DAI drops ARP packets with an invalid IP address. The following IP 

addresses are considered invalid:

• 0.0.0.0
• 255.255.255.255
• all IP multicast addresses
• all class E addresses (240.0.0.0/4)
• loopback addresses (in the range 127.0.0.0/8)

DAI can also be configured to rate-limit ARP requests on untrusted 

interfaces. If the configured rate is exceeded, DAI diagnostically disables the 

port on which the rate limit was exceeded. Use the no shutdown command to