Task 1: Enable Dynamic ARP Inspection (DAI) on VLAN 1.

DAI relies on DHCP snooping to build a database of legitimate IP-MAC mappings. To enable DAI we must first enable DHCP Snooping on VLAN 1.

SW1# configure terminal
SW1(config)# ip dhcp snooping
SW1(config)# ip dhcp snooping vlan 1
SW1(config)# ip arp inspection vlan 1

ip dhcp snooping: Activates DHCP Snooping globally on the switch.
ip dhcp snooping vlan 1: Enables DHCP Snooping specifically for VLAN 1.
ip arp inspection vlan 1: Enables Dynamic ARP inspection on VLAN 1.

Task 2: Trust the uplink port to the gateway.

ARP replies from the gateway should always be valid so this is necessary as it prevents blocking legitimate ARP packets from R1. The uplink port must also be trusted for DHCP Snooping, otherwise, DHCP replies from the router will be dropped, preventing client devices from getting IP addresses.

SW1(config)# interface g0/1
SW1(config-if)# ip arp inspection trust
SW1(config-if)# ip dhcp snooping trust
SW1(config-if)# exit

Task 3: Enable IP address validation to prevent mismatched IP-to-MAC assignments.

By default, DAI only checks the MAC address in ARP packets. It doesn't protect against attacks using fake IP addresses. Enabling IP validation prevents attackers from using fake IP addresses.

SW1(config)# ip arp inspection validate src-mac dst-mac ip

src-mac:  Ensures the source MAC address in the ARP packet matches the Ethernet frame.
dst-mac:  Checks that the destination MAC address in ARP matches the intended recipient.
ip:  Ensures that the IP address in the ARP packet is assigned to the correct MAC address.

Now exit configuration mode and save the configuration.

SW1(config)# end
SW1# write memory