Dynamic ARP Inspection (DAI) is a security feature that examines ARP requests and responses and validates them against a trusted MAC-IP binding table.

Dynamic ARP Inspection protects against ARP spoofing by validating ARP messages against a known MAC-IP binding table. It scans ARP requests and replies on untrusted ports and checks that the sender’s IP address and MAC address match an entry in the trusted binding table, which is typically populated by DHCP snooping. If an ARP packet presents an IP-MAC pairing that isn’t in the table or doesn’t match, it’s dropped, preventing attackers from impersonating another device or performing a man-in-the-middle attack. This is why the description fits DAI so well—the feature’s purpose is to ensure ARP communications align with authenticated MAC-IP bindings. DHCP Snooping supports this by building the binding table, while ARP Broadcast and Switch Spoofing describe different concepts and don’t perform this validation.