Snooping and Inspecting Traffic 885re-enable the port. DAI rate limiting cannot be enabled on trusted interfaces.Use the no ip arp inspection limit command to disable diagnostic disablingof untrused ports due to DAI.Why Is Traffic Snooping and Inspection Necessary?DHCP Snooping, IPSG, and DAI are security features that can help protectthe switch and the network against various types of accidental or maliciousattacks. It might be a good idea to enable these features on ports that providenetwork access to hosts that are in physically unsecured locations or ifnetwork users connect nonstandard hosts to the network.For example, if an employee unknowingly connects a workstation to thenetwork that has a DHCP server, and the DHCP server is enabled, hosts thatattempt to acquire network information from the legitimate network DHCPserver might obtain incorrect information from the rogue DHCP server.However, if the workstation with the rogue DHCP server is connected to aport that is configured as untrusted and is a member of a DHCP Snooping-enabled VLAN, the port discards the DHCP server messages.Default Traffic Snooping and Inspection ValuesDHCP snooping is disabled globally and on all VLANs by default. Ports areuntrusted by default.Table 27-1. Traffic Snooping DefaultsParameter Default ValueDHCP snooping mode DisabledDHCP snooping VLAN mode Disabled on all VLANsInterface trust state Disabled (untrusted)DHCP logging invalid packets DisabledDHCP snooping rate limit 15 packets per secondDHCP snooping burst interval 1 secondDHCP snooping binding databasestorageLocalDHCP snooping binding databasewrite delay300 seconds