ARP spoofing sends false ARP replies to poison victim caches — associating the attacker's MAC with a legitimate IP (gateway, server) to intercept traffic.
ARP operates at Layer 2 with no authentication. Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table. Static ARP entries for critical hosts prevent poisoning. Detection: 'arp -a' shows duplicate MACs for different IPs.