DAI combined with DHCP snooping binding table secures against man in the middle by blocking ARP requests not in binding table.
I am using DAI in combination with PVLANs, however arp entries do not flush even after the configured arp time out expires. This means, DAI no longer works for me as when DHCP binding table is flushed for a given MAC address, the ARP entry mapping still exist...so I can still communicate with host on other end of PVLAN.
When I clear the arp entry manually, DAI seems to function by disallowing a new MAC-IP mapping.
1-Sticky arp has been disabled globally.
2-port is definitely not trusted for either ARP or DHCP.
Any thoughts ?