Dynamic ARP Inspection (DAI) is a security feature that intercepts and validates Address Resolution Protocol (ARP) packets in a network. It ensures that only legitimate ARP requests and responses are relayed, preventing ARP spoofing and man-in-the-middle attacks.

Conditions Allowing ARP Packets to Pass DAI Checks:

IP/MAC Pair in the DHCP Binding Database:

When DHCP snooping is enabled, the switch maintains a binding table of IP-to-MAC address mappings assigned by the DHCP server.

DAI uses this database to verify that ARP packets have legitimate IP/MAC address pairs.

If the ARP packet's IP/MAC pair matches an entry in the DHCP binding database, it passes the DAI check.

Static ARP Entry with Inspection Flag Set:

Administrators can configure static ARP entries for known devices, marking them as trusted for DAI purposes.

These entries include the IP/MAC pair and are flagged to bypass DAI checks.

An ARP packet matching a static entry with the inspection flag set will pass the DAI check.

Request Originated on a Trusted Port:

Ports can be designated as trusted, typically those connected to other switches or network devices.

DAI does not inspect ARP packets arriving on trusted ports, assuming they are from legitimate sources.

Therefore, ARP requests or responses from a trusted port pass the DAI check.

References:

For more information on configuring DAI and related security features, refer to the RUCKUS FastIron Layer 3 Routing Configuration Guide: Dynamic ARP Inspection overview

Implementing DAI with these conditions helps protect the network from ARP-based attacks by ensuring that only validated ARP traffic is permitted.