LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is Dynamic ARP Inspection (DAI), and how does it prevent ARP poisoning?

A switch feature that validates ARP packets against a trusted DHCP-snooping database — forged ARPs are dropped before reaching victims.

DAI validates each ARP against the DHCP-snooping bindings table; forgeries are dropped, legit forwarded.

* DAI validates every ARP against the DHCP-snooping bindings table. *

The setup:

DAI requires a trusted bindings table that maps:

(switch port) → (MAC, IP, VLAN) — the legit owner

Built two ways:

  1. DHCP snooping — switch watches DHCP exchanges and records "this port got this IP"
  2. Static ARP entries — admin manually configures critical mappings (servers, gateways)

How DAI catches poisoning:

Every ARP packet on the network is inspected. If a frame says "I'm 192.168.1.1 at MAC X" but:

  • The DHCP database shows that IP belongs to a different port → drop
  • The MAC in the ARP packet doesn't match the source MAC of the Ethernet frame → drop
  • The port the ARP came from isn't authorized → drop

A concrete example:

The ZyXEL USG20 router has DAI built in — when you ARP-poison, the router detects it, drops the forged packets, and even sends ICMP Redirect messages telling the victim to ignore the spoof.

Web-GUI of ZyXEL with log entry: "ARP spoofing detected"

Where to enable DAI:

Vendor Command/Feature
Cisco IOS ip arp inspection vlan X
Juniper set protocols arp-inspection
HP/Aruba arp inspection vlan X
Many SOHO routers Often called "ARP attack defense" or "Anti-spoofing"

Why enterprises love DAI:

  • Transparent to clients — no agent needed
  • Catches the attack at the network edge
  • Combined with port security (limit MAC count per port) it locks the LAN down

Limits:

  • Doesn't protect against attacks where attacker controls a legit DHCP-assigned port
  • Doesn't help on networks without DHCP snooping (e.g., static IP networks)
  • WiFi has different mechanisms (WPA enterprise, client isolation)

Tip: Home routers usually don't have DAI. Public WiFi certainly doesn't. So if you're on coffee-shop WiFi, assume ARP poisoning is feasible — use a VPN.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026