ip arp inspection vlan

To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.

ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]

no ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]

Syntax Description

vlan-list

VLANs on which DAI is active. The vlan-list argument allows you to specify a single VLAN ID, a range of VLAN IDs, or comma-separated IDs and ranges (see the "Examples" section). Valid VLAN IDs are from 1 to 4096.

logging

(Optional) Enables DAI logging for the VLANs specified.

•all—Logs all packets that match Dynamic Host Configuration Protocol (DHCP) bindings

•none—Does not log DHCP bindings packets (use this option to disable logging)

•permit—Logs DHCP binding permitted packets

dhcp-bindings

Enables logging based on DHCP binding matches.

permit

Enables logging of packets permitted by a DHCP binding match.

all

Enables logging of all packets.

none

Disables logging.


Command Default

Logging of dropped packets

Command Modes

Global configuration

Command History

Release
Modification

5.0(3)N1(1)

This command was introduced.


Usage Guidelines

By default, the device logs dropped packets inspected by DAI.

This command does not require a license.

Examples

This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:

switch# configure terminal 
switch(config)# ip arp inspection vlan 13,15,17-23 
switch(config)# 

Related Commands

Command
Description

ip arp inspection validate

Enables additional DAI validation.

show ip arp inspection

Displays the DAI configuration status.

show ip arp inspection vlan

Displays DAI status for a specified list of VLANs.

show running-config dhcp

Displays DHCP snooping configuration, including DAI configuration.