DHCP Snooping and Dynamic ARP Inspection (DAI) must be configured on end user vlans and vlans that are located in public areas as a requirement .
The combination of DHCP Snooping and Dynamic ARP Inspection (DAI) is used to mitigate ARP poisoning attacks and man-in-the-middle attacks on the enterprise network.
DAI Config for end user ports.
ip dhcp snooping vlan < users,phone>
ip arp inspection vlan >users,phone>
DAI untrust all the end user ports and trust all the uplinks.
ip dhcp snooping trust by default all are untrusted.
ip arp inspection trust >Must be placed on all uplinks (trunks)
ip arp inspection validate src-mac
ip dhcp snooping database bootflash:dhcpsnooping.txt >Saves and dynamically updates the dhcp snooping table in bootflash. In case of a switch reload this table will be copied back to the running config.
Once configured, every ARP packet that traverses these vlans is inspected for a corresponding entry in the binding table. If a binding is there, the packet is allowed to pass. If not, the packet is dropped and logged.
The default rate limit for arp-inspection is 15 packets per second. It is configurable with the following command:
ip arp inspection limit rate
Thanks