What is Dynamic ARP Inspection (DAI)?
Dynamic ARP Inspection (DAI) is a Layer 2 security feature that detects and blocks forged ARP messages. It prevents attackers from rerouting or intercepting network traffic via ARP Spoofing.
In OT networks, DAI protects, for example, PLC traffic from unwanted interference by Rogue Devices or attacks from an unauthorised laptop.
🧠 What does DAI do?
- Verifies ARP packets against valid IP–MAC bindings
- Blocks spoofed ARP messages on untrusted ports
- Uses DHCP Snooping tables as a reference for valid IP/MAC pairs
- Prevents Man-in-the-Middle attacks based on ARP manipulation
🔧 How does it work?
| Step | Description |
|---|---|
| DHCP Snooping collects bindings | Gathers IP ↔ MAC ↔ switch-port data |
| DAI is enabled on untrusted ports | Only trusted ARP packets are allowed through |
| ARP packet is verified | Against the DHCP Snooping table or whitelist |
| Forged ARP packet? → blocked | Logging or alarm via SIEM or network monitoring |
🔐 Use in OT
| Scenario | Benefit of DAI |
|---|---|
| Laptop spoofs the IP of an HMI | The ARP forgery is blocked |
| Rogue device tries to hijack PLC traffic | Only valid traffic is allowed through |
| Operator plugs in their own switch | Illegitimate ARP packets are detected immediately |
✅ Best practices
- Always combine with DHCP Snooping
- Configure only uplinks as
trusted - Use logging and alarms via SIEM
- Use DAI + IP Source Guard + Port Security for full protection
- Be careful with static IPs → manually whitelist the MAC/IP
📌 In summary
DAI prevents ARP poisoning and protects OT communication against Spoofing at Layer 2. Essential for secure Zones with SCADA, PLC, Historian and operator stations.