Mitigating Spoof Attacks
How to configure Dynamic ARP Inspection

Here are the commands used to configure DAI shown in Figures.  

It is generally advisable to configure all Access switch ports as untrusted and to configure all uplink ports connected to other switches as trusted. Here is an example of the configuration required on Switch 2 in the figure with port FastEthernet 3/3 as the uplink port toward the DHCP server.

Example: DAI Implementation
This example shows how to configure dynamic ARP inspection for hosts on VLAN1 where client devices are located for Switch 2 in the figure. All client ports are untrusted by default. Only port 3/3 is trusted as this is the only port where DHCP replies would be expected:

Switch(config)#ip arp inspection vlan 1
Switch(config)#interface fastethernet 3/3
Switch(config-if)#ip arp inspection trust