Which three statements are true about DAI? (Choose three.)
A.
DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B.
DAI forwards all ARP packets received on a trusted interface without any checks.
C.
DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D.
DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E.
DAI intercepts all ARP packets on untrusted ports
F.
DAI is used to prevent against a DHCP Snooping attack.
Explanation:
An attacker could send its own crafted ARP reply when it overhears an ARP request being broadcast. The reply could contain its own MAC address, causing the original requester to think that it is bound to the IP address in question. The requester would add the bogus ARP entry into its own ARP cache, only to begin forwarding packets to the spoofed MAC address. This type of attack is known as ARP spoofing.
DAI (Dynamic ARP Inspection) works like DHCP snooping. All switch ports are classified as trusted or untrusted. The switch intercepts and inspects all ARP packets that arrive on an untrusted port; no inspection is
done on trusted ports.When an ARP reply is received on an untrusted port, the switch checks the MAC and IP addresses reported in the reply packet against known and trusted values.