Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both
Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch
SW_
A.
What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A ?
The spoof packets will be inspected at the ingress port of switch SW_A and will be
permitted.
A.
What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A ?
The spoof packets will be inspected at the ingress port of switch SW_A and will be
permitted.
B.
The spoof packets will not be inspected at the ingress port of switch SW_A and will be
permitted.
C.
The spoof packets will not be inspected at the ingress port of switch SW_A and will be
dropped.
D.
The spoof packets will be inspected at the ingress port of switch SW_A and will be
dropped.
Explanation:
When configuring DAI, follow these guidelines and restrictions:
• DAI is an ingress security feature; it does not perform any egress checking.
• DAI is not effective for hosts connected to routers that do not support DAI or that do not
have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2
broadcast domain, separate the domain with DAI checks from the one with no checking. This
action secures the ARP caches of hosts in the domain enabled for DAI.
• DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC
address bindings in incoming ARP requests and ARP responses. Make sure to enable
DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.
• When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to
permit or to deny packets.
• DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN
ports.
In our example, since Company2 does not have DAI enabled (bullet point 2 above) packets
will not be inspected and they will be permitted.http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dynarp.html