Hi @bluesea2010,
A lot of good other comments by others in this thread.
I think we can agree DHCP snooping is not required for DAI. However, as your switch is an L3 access switch, it most likely has clients connected to the switch who will obtain their IP address through DHCP. If this is the case, the only practical implementation of DAI is to use it with DHCP snooping. You can't manage ARP ACLs in an environment where your switch is connected to clients that have dynamic IP addressing, because DHCP leases can change. This could mean clients renew their DHCP lease, get a different IP, and that ACL is then no longer a match and ARP requests/replies are invalidated. There are ways in which you can use ARP ACLs to reference a range of IPs that can be tied to trusted MACs, but that still allows the possibility for other network attacks. There's also not really much point if you can use DHCP snooping. Even with DHCP snooping you will need ARP ACLs if you have any devices (e.g. servers) with static IP addresses though as there will not be an entry in the snooping database for them. Before enabling DAI you should check that the DHCP snooping binding database is populated accordingly with 'show ip dhcp snooping binding'
Your basic configuration could look something like this:
CONFIG:
ip dhcp snooping
ip dhcp snooping vlan 10
!
ip arp inspection vlan 10
OPTIONAL CONFIG (FOR YOUR DEVICES WITH STATIC IP):
arp access-list DAI_STATIC_IP_LIST
permit ip host x.x.x.x mac host aaaa.aaaa.aaaa
permit ip host y.y.y.y mac host bbbb.bbbb.bbbb
(etc.)
!
ip arp inspection filter DAI_STATIC_IP_LIST vlan 10 {static}
If you do have a DHCP server and it happens to be in VLAN 10 on another switch port connected to the same L3 access switch then you will need to configure that interface as 'ip dhcp snooping trust' and 'ip arp inspection trust'. (or use ARP ACL, but former is preferred). If the DHCP server is remote, or in a different VLAN for which DAI is not configured, then no further action is needed. If your L3 access switch is connected via an L2 trunk to another switch you will also need to take this into consideration with the ARP inspection config as well. Of course in your case there shouldn't be an L2 switch connected, at least under a proper hierarchical design, but it's just a note. Specifically, that interface needs an 'ip arp inspection trust' command under the interface as well. If there is no DHCP running at all for any clients connected to the switch, just use an ARP ACL for every device and turn off DHCP snooping.
The two interfaces you have posted (Te1/1 and Gi0/1) do not need any changes, but I recommend you to consult the documentation for feature enhancements like ARP rate limiting (a default is already configured) and additional DAI validation features that can perform additional checks on top and in addition to the basic validation.
