Dynamic ARP Inspection (DAI)

1. Introduction

Dynamic ARP Inspection (DAI) is a crucial security feature you need to understand if you want to protect your network from ARP spoofing and man-in-the-middle attacks.

Hacker sends a forged Gratuitous ARP message claiming the IP 192.168.1.1 with their own MAC address to poison the ARP tables of other devices in the dynamic ARP inspection configuration scenario
Figure 1 – ARP Spoofing Attack with Forged GARP Message

Imagine a hacker sends a forged Gratuitous ARP (GARP) message claiming that 192.168.1.1 (your gateway) is associated with their own MAC address.

This tricks other devices on the network into updating their ARP tables with false information and that’s exactly the kind of attack DAI is designed to prevent.

But before diving deeper, let’s make sure you have a solid understanding of how ARP (Address Resolution Protocol) functions. That foundation will help you fully grasp the value of DAI.

2. ARP Protocol Refresher

As you may know, ARP (Address Resolution Protocol) maps IP addresses to MAC addresses within a local network. When a device knows only the IP address of another device, it uses ARP to discover the MAC address.

How ARP Works in a Local Network

To better understand ARP, let’s look at a simple network with the subnet 192.168.1.0/24.

Here we have a network 192.168.1.0/24:

Network topology used for dynamic ARP inspection configuration showing PC1, switch SW1, router R1, and DHCP server on subnet 192.168.1.0/24
Figure 2 – Network Topology

PC1 is configured using a DHCP server and has an IP address of 192.168.1.11 with a default gateway of 192.168.1.1.

Imagine PC1 wants to send a ping to 8.8.8.8!

Since the destination is outside the 192.168.1.0/24 subnet, PC1 must send the traffic through its default gateway (R1).

Visualizing ARP Step-by-Step

When the ping to 8.8.8.8 is initiated, PC1 first checks its MAC address table.

PC1 trying to reach 8.8.8.8 during dynamic ARP inspection configuration, showing it doesn’t know the default gateway’s MAC address in a 192.168.1.0/24 network setup
Figure 3 – ARP Process Begins: MAC Address Unknown

Since the MAC address of 192.168.1.1 is unknown…

PC1 sending an ARP request during dynamic ARP inspection configuration to discover the MAC address of the default gateway 192.168.1.1 in a 192.168.1.0/24 network
Figure 4 – PC1 Sends ARP Request for Default Gateway MAC

PC1 sends an ARP Request to the local network:

“Who has 192.168.1.1? Tell me your MAC address!”

PC1 broadcasting an ARP request to discover the MAC address of 192.168.1.1 in a dynamic ARP inspection configuration scenario on a 192.168.1.0/24 network
Figure 5 – ARP Request Broadcasted on the Network

The router (R1) receives the request and responds with an ARP Reply providing its MAC address.

Router R1 sending an ARP reply with its MAC address to PC1 during dynamic ARP inspection configuration in a 192.168.1.0/24 network setup
Figure 6 – ARP Reply Received: MAC Address Learned

Now that PC1 knows the MAC address of 192.168.1.1…

PC1 updates its ARP table with the MAC address of 192.168.1.1 and is ready to send traffic through the default gateway in a dynamic ARP inspection configuration scenario
Figure 7 – PC1 Updates ARP Table with Gateway MAC Address

It can send the ping to 8.8.8.8 through the default gateway !

PC1 successfully sends a ping to 8.8.8.8 through its default gateway after completing the ARP process in a dynamic ARP inspection configuration example
Figure 8 – Successful Communication via Default Gateway

It’s a simple and efficient mechanism but unfortunately, it’s also vulnerable to attacks, as we’ll see in the next section.

3. ARP Vulnerabilities and Attacks

While ARP is fundamental to network communication, it was never designed with security in mind. That makes it an easy target for attackers who want to intercept or manipulate traffic.

One of the most common threats is the Man-in-the-Middle (MitM) attack using ARP spoofing.

Understanding Gratuitous ARP (GARP)

BBefore we explore how the attack works, let’s take a moment to understand Gratuitous ARP.

Unlike a normal ARP reply, a GARP message is sent without being requested.
It’s usually used by a device to announce its IP/MAC binding for example, when a device comes online or changes IP.

A GARP message might say:

I am 192.168.1.1 and my MAC address is XX:XX:XX:XX:XX

This is useful in normal operations, but attackers can abuse this behavior to poison ARP tables across the network.

Step-by-Step: ARP Spoofing Attack

Step 1: The Attacker Sends a Fake GARP

The attacker broadcasts a GARP message falsely claiming:

“Update your ARP table! The MAC address for 192.168.1.1 is now mine.”

Hacker sends a forged Gratuitous ARP message claiming the IP 192.168.1.1 with their own MAC address to poison the ARP tables of other devices in the dynamic ARP inspection configuration scenario
Figure 9 – ARP Spoofing Attack with Forged GARP Message

Step 2: Devices Update Their ARP Tables

Devices like PC1 receive the spoofed message and overwrite their ARP entries, believing the attacker is the real router.

PC1 updates its ARP table with the hacker’s MAC address for 192.168.1.1, mistakenly identifying the attacker as the default gateway in a dynamic ARP inspection configuration scenario
Figure 10 – ARP Table Poisoned: Traffic Redirected to Attacker

Step 3: Traffic Is Redirected

Now, when PC1 tries to communicate with its gateway (192.168.1.1), it sends the traffic to the attacker.

PC1 sends its traffic to the attacker instead of the real gateway due to ARP spoofing, demonstrating the risk prevented by dynamic ARP inspection configuration
Figure 11 – Redirected Traffic After ARP Spoofing Attack

Step 4: The Attacker Intercepts and Relays

To remain invisible, the attacker forwards the traffic to the real router.
The user doesn’t notice anything, but the attacker now sees every packet.

The attacker intercepts PC1’s traffic and forwards it to the real router, demonstrating a man-in-the-middle attack scenario prevented by dynamic ARP inspection configuration.
Figure 12 – Attacker Intercepts and Relays Traffic (Man-in-the-Middle)

This technique is known as a Man-in-the-Middle attack and it’s extremely dangerous in networks without protection.

How to Stop It

To defend against this threat, networks use Dynamic ARP Inspection (DAI) a security feature that detects and blocks fake ARP messages in real-time.

Let’s explore how DAI works in the next section.

4. How Dynamic ARP Inspection Works

Dynamic ARP Inspection (DAI) is a Layer 2 security feature that helps prevent ARP spoofing attacks. It does this by validating ARP messages received on untrusted switch ports.

Let’s break down exactly how it works.

Trusted vs Untrusted Ports

DAI operates by classifying each switch port into one of two categories:

  • Trusted ports
  • Untrusted ports
Diagram showing trusted and untrusted ports in a dynamic ARP inspection configuration, with G0/0 and G0/1 marked as trusted and G0/2, G0/3 as untrusted in a 192.168.1.0/24 network.
Figure 13 – Trusted vs Untrusted Ports in Dynamic ARP Inspection (DAI)

By default, all ports are considered untrusted.

Trusted Ports

These are typically uplinks to other network infrastructure devices (like routers or DHCP servers).
Because they’re under administrative control, ARP packets are not inspected on these interfaces.

On switch SW1:

G0/1 (connected to the DHCP server)
G0/0 (connected to R1)
→ These are marked as trusted.

Untrusted Ports

These are ports connected to end-user devices (PCs, laptops, etc.).
Since malicious activity is more likely to originate from these endpoints, DAI inspects all ARP packets received here.

G0/2 and G0/3 (user ports)
→ These are untrusted.

Step-by-Step: How DAI Validates ARP Packets

Step 1: Classify the Port

When an ARP message arrives, the switch checks:

  • If it’s from a trusted port → the packet is immediately forwarded.
  • If it’s from an untrusted port → the switch intercepts and inspects the ARP packet.
Switch performing ARP inspection on an untrusted port (G0/3) during dynamic ARP inspection configuration in a 192.168.1.0/24 network.
Figure 14 – Classify the Port for ARP Validation

Step 2: Check the DHCP Snooping Binding Table

DAI doesn’t blindly trust ARP messages it relies on a reference table to determine what’s valid.
That table is called the DHCP Snooping Binding Table.

This table is built by the DHCP Snooping feature and includes:

  • IP address of the client
  • MAC address of the client
  • Port number where the device is connected
Switch verifying ARP messages on untrusted port G0/3 using the DHCP Snooping Binding Table during dynamic ARP inspection configuration in a 192.168.1.0/24 network.
Figure 15 – ARP Validation Using the DHCP Snooping Binding Table

It acts as a trusted list of legitimate IP-to-MAC bindings.

Step 3: Validate the ARP Packet

The switch compares the information in the ARP message against the binding table:

  • If the IP and MAC address match an entry → the packet is allowed.
  • If there is no match → the packet is dropped.

Step 4: Drop Spoofed ARP Messages

If an attacker tries to send a forged ARP message, the switch detects the mismatch:

🚫 Result: The ARP packet is immediately dropped, preventing the attack.

5. Conclusion

Dynamic ARP Inspection (DAI) is a critical Layer 2 security feature that protects your network against ARP spoofing and Man-in-the-Middle attacks.

It does so by:

  • Inspecting ARP messages on untrusted ports
  • Validating IP-to-MAC bindings using the DHCP Snooping Binding Table
  • Blocking fake ARP packets before they reach your devices

If you’re serious about network security, enabling DAI is non-negotiable!

But theory is one thing…
Let’s see how to activate and verify Dynamic ARP Inspection on your switches, step by step!