ip arp inspection vlan

To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.

ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]

no ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]

Syntax Description


VLANs on which DAI is active. The vlan-list argument allows you to specify a single VLAN ID, a range of VLAN IDs, or comma-separated IDs and ranges (see the "Examples" section). Valid VLAN IDs are from 1 to 4096.


(Optional) Enables DAI logging for the VLANs specified.

•all—Logs all packets that match Dynamic Host Configuration Protocol (DHCP) bindings

•none—Does not log DHCP bindings packets (use this option to disable logging)

•permit—Logs DHCP binding permitted packets


Enables logging based on DHCP binding matches.


Enables logging of packets permitted by a DHCP binding match.


Enables logging of all packets.


Disables logging.

Command Default

Logging of dropped packets

Command Modes

Global configuration

Command History



This command was introduced.

Usage Guidelines

By default, the device logs dropped packets inspected by DAI.

This command does not require a license.


This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:

switch# configure terminal 
switch(config)# ip arp inspection vlan 13,15,17-23 

Related Commands


ip arp inspection validate

Enables additional DAI validation.

show ip arp inspection

Displays the DAI configuration status.

show ip arp inspection vlan

Displays DAI status for a specified list of VLANs.

show running-config dhcp

Displays DHCP snooping configuration, including DAI configuration.