{
	"id": "8dfea7bb-29d5-42c7-9278-af8d8646c285",
	"created_at": "2026-04-06T00:22:11.001989Z",
	"updated_at": "2026-04-10T03:20:57.690241Z",
	"deleted_at": null,
	"sha1_hash": "7dd1b94bb67ff2b6e1161b47b8e427da3c1c166d",
	"title": "Understanding and Using Dynamic ARP Inspection (DAI) | Junos OS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38945,
	"plain_text": "Understanding and Using Dynamic ARP Inspection (DAI) | Junos\r\nOS\r\nArchived: 2026-04-05 23:37:08 UTC\r\nARP packets are sent to the Routing Engine and are rate-limited to protect the switching device from CPU\r\noverload.\r\nAddress Resolution Protocol\r\nARP Spoofing\r\nDynamic ARP Inspection\r\nPrioritizing Inspected Packets\r\nAddress Resolution Protocol\r\nSending IP packets on a multi-access network requires mapping an IP address to an Ethernet MAC address.\r\nEthernet LANs use ARP to map MAC addresses to IP addresses.\r\nThe switching device maintains this mapping in a cache that it consults when forwarding packets to network\r\ndevices. If the ARP cache does not contain an entry for the destination device, the host (the DHCP client)\r\nbroadcasts an ARP request for that device's address and stores the response in the cache.\r\nARP Spoofing\r\nARP spoofing is one way to initiate man-in-the-middle attacks. The attacker sends an ARP packet that spoofs the\r\nMAC address of another device on the LAN. Instead of the switching device sending traffic to the proper network\r\ndevice, it sends the traffic to the device with the spoofed address that is impersonating the proper device. If the\r\nimpersonating device is the attacker's machine, the attacker receives all the traffic from the switch that must have\r\ngone to another device. The result is that traffic from the switching device is misdirected and cannot reach its\r\nproper destination.\r\nOne type of ARP spoofing is gratuitous ARP, which is when a network device sends an ARP request to resolve its\r\nown IP address. In normal LAN operation, gratuitous ARP messages indicate that two devices have the same\r\nMAC address. They are also broadcast when a network interface card (NIC) in a device is changed and the device\r\nis rebooted, so that other devices on the LAN update their ARP caches. In malicious situations, an attacker can\r\npoison the ARP cache of a network device by sending an ARP response to the device that directs all packets\r\ndestined for a certain IP address to go to a different MAC address instead.\r\nTo prevent MAC spoofing through gratuitous ARP and through other types of spoofing, the switches examine\r\nARP responses through DAI.\r\nDynamic ARP Inspection\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html\r\nPage 1 of 2\n\nDAI examines ARP requests and responses on the LAN and validates ARP packets. The switch intercepts ARP\r\npackets from an access port and validates them against the DHCP snooping database. If no IP-MAC entry in the\r\ndatabase corresponds to the information in the ARP packet, DAI drops the ARP packet and the local ARP cache is\r\nnot updated with the information in that packet. DAI also drops ARP packets when the IP address in the packet is\r\ninvalid. ARP probe packets are not subjected to dynamic ARP inspection. The switch always forwards such\r\npackets.\r\nJunos OS for EX Series switches and the QFX Series uses DAI for ARP packets received on access ports because\r\nthese ports are untrusted by default. Trunk ports are trusted by default, and therefore ARP packets bypass DAI on\r\nthem.\r\nYou configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs.\r\nIf you set an interface to be a DHCP trusted port, it is also trusted for ARP packets.\r\nNote:\r\nIf your switching device is an EX Series switch and uses Junos OS with support for the Enhanced Layer 2\r\nSoftware (ELS) configuration style, see Enabling a Trusted DHCP Server (ELS) for information about\r\nconfiguring an access interface to be a DHCP trusted port.\r\nFor packets directed to the switching device to which a network device is connected, ARP queries are broadcast on\r\nthe VLAN. The ARP responses to those queries are subjected to the DAI check.\r\nFor DAI, all ARP packets are trapped to the Packet Forwarding Engine. To prevent CPU overloading, ARP\r\npackets destined for the Routing Engine are rate-limited.\r\nIf the DHCP server goes down and the lease time for an IP-MAC entry for a previously valid ARP packet runs out,\r\nthat packet is blocked.\r\nPrioritizing Inspected Packets\r\nNote:\r\nPrioritizing inspected packets is not supported on the QFX Series and the EX4600 switch.\r\nYou can use class-of-service (CoS) forwarding classes and queues to prioritize DAI packets for a specified VLAN.\r\nThis type of configuration places inspected packets for that VLAN in the egress queue, that you specify, ensuring\r\nthat the security procedure does not interfere with the transmission of high-priority traffic.\r\nSource: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html\r\nhttps://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html"
	],
	"report_names": [
		"understanding-and-using-dai.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434931,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7dd1b94bb67ff2b6e1161b47b8e427da3c1c166d.pdf",
		"text": "https://archive.orkl.eu/7dd1b94bb67ff2b6e1161b47b8e427da3c1c166d.txt",
		"img": "https://archive.orkl.eu/7dd1b94bb67ff2b6e1161b47b8e427da3c1c166d.jpg"
	}
}