DAI is a security feature on switches that prevents invalid ARP packets from entering the network. This technique is used to prevent both MITM attacks and ARP poisoning attacks on a LAN.
In the following diagram, we can see an attacker attempting to perform an MITM attack on a network between the PCs and the router:
To prevent such attacks, you can use the following configuration on a Cisco IOS switch:
- Enable DHCP snooping on the VLAN and configure the trusted port on all the trunk ports and the interface that connects to the DHCP server on the network. The following configurations are being made on a Cisco IOS switch ...