884 Snooping and Inspecting TrafficWhat is Dynamic ARP Inspection?Dynamic ARP Inspection (DAI) is a security feature that rejects invalid andmalicious ARP packets. DAI prevents a class of man-in-the-middle attackswhere an unfriendly station intercepts traffic for other stations by poisoningthe ARP caches of its unsuspecting neighbors. The malicious attacker sendsARP requests or responses mapping another station’s IP address to its ownMAC address.When DAI is enabled, the switch drops ARP packets whose sender MACaddress and sender IP address do not match an entry in the DHCP snoopingbindings database. You can optionally configure additional ARP packetvalidation.When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physicalports or LAGs) that are members of that VLAN. Individual interfaces areconfigured as trusted or untrusted. The trust configuration for DAI isindependent of the trust configuration for DHCP snooping.Optional DAI FeaturesIf the network administrator has configured the option, DAI verifies that thesender MAC address equals the source MAC address in the Ethernet header.There is a configurable option to verify that the target MAC address equalsthe destination MAC address in the Ethernet header. This check applies onlyto ARP responses, since the target MAC address is unspecified in ARPrequests. You can also enable IP address checking. When this option isenabled, DAI drops ARP packets with an invalid IP address. The following IPaddresses are considered invalid:• 0.0.0.0• 255.255.255.255• all IP multicast addresses• all class E addresses (240.0.0.0/4)• loopback addresses (in the range 127.0.0.0/8)DAI can also be configured to rate-limit ARP requests on untrustedinterfaces. If the configured rate is exceeded, DAI diagnostically disables theport on which the rate limit was exceeded. Use the no shutdown command to