In earlier versions of V200R001, a DAI-enabled switch checks an incoming ARP packet against the binding table based on ACL rules delivered to the chip. An EAI-enabled switch sends the packet to the CPU, searches the outbound interface of the packet in the binding table, and then forwards the packet using software. Both DAI and EAI are Layer 2 functions, but the ACL rule for sending ARP packets to the CPU delivered by EAI takes preference over that delivered by DAI.Therefore, DAI does not check ARP packets and the ARP packets sent by unauthorized users to request MAC addresses of authorized users can be normally forwarded. 

        In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software. This problem does not happen.

Another question...

Q: DAI Is Enabled on a Switch, and the Source MAC Address of an ARP Packet Is Checked Against the Source

MAC Address in an Ethernet Frame Header. An ARP Packet with its Source MAC Address Different from that in the Ethernet Frame Header Can Pass the Check. Why?

A: In earlier versions of V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. However, the ARP packet must be sent to the CPU, and the check of the source MAC address in the ARP packet and that in the Ethernet frame header is performed by software. After the DAI check, the packet is not sent to the CPU, so the source MAC address in the ARP packet and that in the Ethernet frame header are not checked. 
    In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software. The ARP packet with its source MAC address different from that in the Ethernet frame header is discarded.

thanks for your notes