Dynamic ARP Inspection (DAI)
Course Contents
1. Introduction
What is DAI and Why Should You Care?
Dynamic ARP Inspection (DAI) is a crucial security feature you need to understand if you want to protect your network from ARP spoofing and man-in-the-middle attacks.
Imagine a hacker sends a forged Gratuitous ARP (GARP) message claiming that 192.168.1.1 (your gateway) is associated with their own MAC address.
This tricks other devices on the network into updating their ARP tables with false information and that’s exactly the kind of attack DAI is designed to prevent.
But before diving deeper, let’s make sure you have a solid understanding of how ARP (Address Resolution Protocol) functions. That foundation will help you fully grasp the value of DAI.
2. ARP Protocol Refresher
What is ARP?
As you may know, ARP (Address Resolution Protocol) maps IP addresses to MAC addresses within a local network. When a device knows only the IP address of another device, it uses ARP to discover the MAC address.
How ARP Works in a Local Network
To better understand ARP, let’s look at a simple network with the subnet 192.168.1.0/24.
Here we have a network 192.168.1.0/24:
PC1 is configured using a DHCP server and has an IP address of 192.168.1.11 with a default gateway of 192.168.1.1.
Imagine PC1 wants to send a ping to 8.8.8.8!
Since the destination is outside the 192.168.1.0/24 subnet, PC1 must send the traffic through its default gateway (R1).
Visualizing ARP Step-by-Step
When the ping to 8.8.8.8 is initiated, PC1 first checks its MAC address table.
Since the MAC address of 192.168.1.1 is unknown…
PC1 sends an ARP Request to the local network:
“Who has 192.168.1.1? Tell me your MAC address!”
The router (R1) receives the request and responds with an ARP Reply providing its MAC address.
Now that PC1 knows the MAC address of 192.168.1.1…
It can send the ping to 8.8.8.8 through the default gateway !
It’s a simple and efficient mechanism but unfortunately, it’s also vulnerable to attacks, as we’ll see in the next section.
3. ARP Vulnerabilities and Attacks
Why ARP Is Vulnerable?
While ARP is fundamental to network communication, it was never designed with security in mind. That makes it an easy target for attackers who want to intercept or manipulate traffic.
One of the most common threats is the Man-in-the-Middle (MitM) attack using ARP spoofing.
Understanding Gratuitous ARP (GARP)
BBefore we explore how the attack works, let’s take a moment to understand Gratuitous ARP.
Unlike a normal ARP reply, a GARP message is sent without being requested.
It’s usually used by a device to announce its IP/MAC binding for example, when a device comes online or changes IP.
A GARP message might say:
I am 192.168.1.1 and my MAC address is XX:XX:XX:XX:XX
This is useful in normal operations, but attackers can abuse this behavior to poison ARP tables across the network.
Step-by-Step: ARP Spoofing Attack
Step 1: The Attacker Sends a Fake GARP
The attacker broadcasts a GARP message falsely claiming:
“Update your ARP table! The MAC address for 192.168.1.1 is now mine.”
Step 2: Devices Update Their ARP Tables
Devices like PC1 receive the spoofed message and overwrite their ARP entries, believing the attacker is the real router.
Step 3: Traffic Is Redirected
Now, when PC1 tries to communicate with its gateway (192.168.1.1), it sends the traffic to the attacker.
Step 4: The Attacker Intercepts and Relays
To remain invisible, the attacker forwards the traffic to the real router.
The user doesn’t notice anything, but the attacker now sees every packet.
This technique is known as a Man-in-the-Middle attack and it’s extremely dangerous in networks without protection.
How to Stop It
To defend against this threat, networks use Dynamic ARP Inspection (DAI) a security feature that detects and blocks fake ARP messages in real-time.
Let’s explore how DAI works in the next section.
4. How Dynamic ARP Inspection Works
What Does DAI Actually Do?
Dynamic ARP Inspection (DAI) is a Layer 2 security feature that helps prevent ARP spoofing attacks. It does this by validating ARP messages received on untrusted switch ports.
Let’s break down exactly how it works.
Trusted vs Untrusted Ports
DAI operates by classifying each switch port into one of two categories:
- Trusted ports
- Untrusted ports
By default, all ports are considered untrusted.
Trusted Ports
These are typically uplinks to other network infrastructure devices (like routers or DHCP servers).
Because they’re under administrative control, ARP packets are not inspected on these interfaces.
On switch SW1:
G0/1 (connected to the DHCP server)
G0/0 (connected to R1)
→ These are marked as trusted.
Untrusted Ports
These are ports connected to end-user devices (PCs, laptops, etc.).
Since malicious activity is more likely to originate from these endpoints, DAI inspects all ARP packets received here.
G0/2 and G0/3 (user ports)
→ These are untrusted.
Step-by-Step: How DAI Validates ARP Packets
Step 1: Classify the Port
When an ARP message arrives, the switch checks:
- If it’s from a trusted port → the packet is immediately forwarded.
- If it’s from an untrusted port → the switch intercepts and inspects the ARP packet.
Step 2: Check the DHCP Snooping Binding Table
DAI doesn’t blindly trust ARP messages it relies on a reference table to determine what’s valid.
That table is called the DHCP Snooping Binding Table.
This table is built by the DHCP Snooping feature and includes:
- IP address of the client
- MAC address of the client
- Port number where the device is connected
It acts as a trusted list of legitimate IP-to-MAC bindings.
Step 3: Validate the ARP Packet
The switch compares the information in the ARP message against the binding table:
- If the IP and MAC address match an entry → the packet is allowed.
- If there is no match → the packet is dropped.
Step 4: Drop Spoofed ARP Messages
If an attacker tries to send a forged ARP message, the switch detects the mismatch:
🚫 Result: The ARP packet is immediately dropped, preventing the attack.
5. Conclusion
Dynamic ARP Inspection (DAI) is a critical Layer 2 security feature that protects your network against ARP spoofing and Man-in-the-Middle attacks.
It does so by:
- Inspecting ARP messages on untrusted ports
- Validating IP-to-MAC bindings using the DHCP Snooping Binding Table
- Blocking fake ARP packets before they reach your devices
If you’re serious about network security, enabling DAI is non-negotiable!
But theory is one thing…
Let’s see how to activate and verify Dynamic ARP Inspection on your switches, step by step!