Rule ID
SV-220635r929011_rule
Version
V3R1
CCIs
CCI-002385
DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Review the switch configuration to verify that the DAI feature is enabled on all user VLANs: hostname SW2 … … … ip arp inspection vlan 2,4-8,11 Note: DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. If DAI is not enabled on all user VLANs, this is a finding.
Configure the switch to have DAI enabled on all user VLANs as shown in the example below: SW2(config)#ip arp inspection vlan 2,4-8,11