In earlier versions of V200R001, a DAI-enabled switch checks an incoming ARP packet against the binding table based on ACL rules delivered to the chip. An EAI-enabled switch sends the packet to the CPU, searches the outbound interface of the packet in the binding table, and then forwards the packet using software. Both DAI and EAI are Layer 2 functions, but the ACL rule for sending ARP packets to the CPU delivered by EAI takes preference over that delivered by DAI. Therefore, DAI does not check ARP packets and the ARP packets sent by unauthorized users to request MAC addresses of authorized users can be normally forwarded.
In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software. This problem does not happen.