Rule ID
SV-253961r1212017_rule
Version
V2R5
CCIs
DAI intercepts ARP requests and verifies that each of these packets has a valid IP-to-MAC address binding before updating the local ARP cache and before forwarding the packet to the appropriate destination. Invalid ARP packets are dropped and logged. DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in the DHCP snooping binding database. If the ARP packet is received on a trusted interface (e.g., access interface with a valid binding or a trunked interface), the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
Review the switch configuration to verify that DAI is enabled on all user VLANs with active access interfaces. Configuring DAI automatically enables DHCP snooping.
Devices such as printers, servers, and VoIP phones are under enterprise control and connected to controlled access interfaces (802.1x, Static MAC Bypass, or MAC RADIUS), making them trusted sources in nonuser-facing VLANs.
Verify DAI on user-facing or untrusted VLANs with active access interfaces.
user@host> show configuration vlans
<untrusted VLAN name> {
vlan-id <VLAN ID>;
forwarding-options {
dhcp-security {
arp-inspection;
}
}
}
Note: DAI depends on DHCP snooping or static MAC address bindings.
This check is not applicable to switches configured with user-facing or untrusted VLANs merely for inclusion in trunks (e.g., core or distribution switch without access interfaces assigned to user-facing or untrusted VLANs).
If DAI is not enabled on all user VLANs with active access interfaces, this is a finding.Configure the switch to have DAI enabled on all user VLANs with active access interfaces. 1. Enter configuration mode. 2. Configure user-facing or untrusted VLANs with active access interfaces with DAI. 3. Commit the configuration. user@host> configure Entering configuration mode user@host# set vlans <untrusted VLAN name> vlan-id <untrusted VLAN ID> user@host# set vlans <untrusted VLAN name> forwarding-options dhcp-security arp-inspection user@host# commit commit complete