What is Dynamic ARP Inspection (DAI)?
Why Interviewers Ask This
Candidates at the intermediate level are expected to not only know this concept but explain the trade-offs involved. Interviewers use this question to see if you can reason about design decisions, not just recall facts.
Answer
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network to prevent ARP spoofing/poisoning attacks. ARP spoofing allows attackers to associate their MAC address with the IP of another host (like the default gateway), intercepting traffic. DAI intercepts all ARP packets on untrusted ports and validates them against the DHCP snooping binding table (which records legitimate IP-MAC-port-VLAN mappings). If the ARP packet's IP-MAC binding matches the binding table, it is forwarded; otherwise, it is dropped and logged. DAI requires DHCP snooping to be enabled first (since it uses the binding table). For devices with static IPs (servers, routers), create ARP ACLs: arp access-list SERVER-ACL; permit ip host 10.0.0.1 mac host 00:11:22:33:44:55. Enable: ip arp inspection vlan 10; ip arp inspection trust on uplinks. DAI operates at Layer 2 and effectively eliminates ARP poisoning attacks from the local network.
Pro Tip
Before answering, structure your response: one-line definition → real-world analogy → concrete example from a project. This makes even complex Networking answers easy to follow.
Previous
What is DHCP snooping?
Next
What is the difference between convergence time in routing protocols?