Which security feature on switches uses the DHCP snooping database to prevent man-in-the-middle attacks?

Dynamic ARP Inspection uses the DHCP snooping binding database to protect against ARP spoofing. The DHCP snooping feature builds a trusted table of IP-to-MAC bindings learned from legitimate DHCP transactions (per VLAN and port). DAI intercepts ARP packets on the network and checks each ARP reply or update against that binding table. If an ARP message claims an IP is associated with a different MAC than the one in the database, it is dropped. This prevents a malicious host from poisoning ARP caches and creating a man‑in‑the‑middle position, because the forged mapping will not match the trusted DHCP-derived bindings. DHCP Snooping itself is the database creator, and IP Source Guard also uses that database to enforce per-port IP/MAC bindings, but the direct mechanism that stops MITM via ARP tampering is Dynamic ARP Inspection.