Which three statements are true about the dynamic ARP inspection (DAI) feature?

Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

A.
DAI can be performed on ingress ports only.

B.
DAI can be performed on both ingress and egress ports.

C.
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

D.
DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.

E.
DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.

F.
DAI is supported on access and trunk ports only.

Explanation:

To prevent ARP spoofing or "poisoning," a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC-address-to-IP-address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped. DAI determines the validity of an ARP packet based on a valid MAC-address-to-IP-address bindings database built by DHCP snooping. In addition, to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs.
To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:
* Forwards ARP packets received on a trusted interface without any checks
* Intercepts all ARP packets on untrusted ports
* Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache
* Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings



Leave a Reply 0

Your email address will not be published. Required fields are marked *