How to Implement the DAI function of the CISCO switch: 1. To prevent ARP spoofing, you need to establish a trusted, real, and secure ARP cache database, this database can be obtained through DHCP detection or statically bound. 2. ARP responses from untrusted ports will be intercepted and compared. If the interface for comparison is not authentic, the response will be discarded. 3. Trust ports are not intercepted and compared. Q: As mentioned above, you need to establish a trusted IP address to the database bound to the MAC for comparison. Therefore, you need to use static binding or DHCP Snooping to generate. Secondly, define the scope of the DAI check, that is, the subnet or VLAN (ip arp inspection vlan 1, check vlan1, that is, the vlan1 subnet), and then define the trusted interface, ip arp inspection trust can be used for any interface. However, if you know that the subnet connected to an interface is performing ARP spoofing, obviously, this interface is not suitable for this statement ...... the following are some detailed configurations: 1. Define the enabled range switch (config) # ip arp inspection vlan-range 2. Set the trusted interface switch (config) # interfac interface switch (config-if) # ip arp inspection trust 3. ip addresses are configured statically on the host and cannot be detected using dhcp, therefore, you need to manually configure and define static arp check to bind switch (config) # arp access-list acl_name switch (config-acl) # permit ip host sender_ip mac host sender_mac [log] apply arp access list to DAI switch (config) # ip arp inspection filter arp_acl_name vlan vlan_range [static] verify dai address switch (config) # ip arp inspection validate {src-mac | dst-mac | ip} (2) Check the show ip arp inspection author ehlopxp