CCIE Pursuit Blog

June 9, 2009

Core Knowledge Question of the Day: 09 June 2009

The Dynamic ARP Inspection and IP Source Guard features both require which additional feature to be configured?

Highlight for answer:  DHCP Snooping must be enabled.  Both Dynamic ARP Inspection and IP Source Guard rely on the DHCP Snooping database.


  1. Hey, i could never find any documentation saying DHCP snooping is required for DAI. For the ip verify for sure, but not DAI. Have you found documentation stating otherwise? I’m dying to see it, since I’ve failed to find it myself, so if you got a link, please share.

    Comment by luisgarcia — June 9, 2009 @ 11:50 am | Reply

  2. luisgarcia:

    In the 3750 config guide it says:

    “Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch.”

    So it doesn’t come out and explicitly say you need DHCP snooping, but the idea is there.

    Comment by Peter — June 9, 2009 @ 12:12 pm | Reply


    Config Guidelines and Restrictions:

    “Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.”

    Comment by Radhakrishna — June 9, 2009 @ 9:28 pm | Reply

  4. Just for fun, you can force DAI not require DHCP snooping by defining your own ARP access list — but for all practical purposes, you need DHCP snooping if you really want to implement DAI:

    #ip arp inspection filter my-arp-acl vlan static

    The static keyword at the end would not consult DCHP snoop database.

    Comment by Mehul — November 23, 2009 @ 4:22 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

%d bloggers like this: