A server with a statically assigned IP address is attached to a switch that is provisioned for DHCP snooping. For more protection against malicious attacks, the
network team is considering enabling dynamic ARP inspection alongside DHCP snooping. Which solution ensures that the server maintains network reachability in
the future?
A.
Disable DHCP snooping information option.
B.
Configure a static DHCP snooping binding entry on the switch.
C.
Trust the interface that is connected to the server with the ip dhcp snooping trust command.
D.
Verify the source MAC address of all untrusted interfaces with ip dhcp snooping verify mac- address command.
Explanation:
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. This capability protects the network from certain man-in-the-middle attacks. Dynamic ARP inspection ensures that only valid ARP requests and responses
are relayed. The switch performs these activities:
·Intercepts all ARP requests and responses on untrusted ports ·Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination.
·Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping
binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a
trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid. To ensure network
reachability to the server, configure a static DHCP snooping binding entry on the switch.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12- 2_55_se/configuration/guide/scg3750/swdynarp.html