Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address to IP address bindings. This capability protects the network from certain “man-in-the-middle” attacks. DAI determines the validity of an ARP packet based on valid IP to MAC address bindings from the DHCP snooping binding database. DAI also supports static ARP ACLs for hosts with static IP addresses. DAI checks all ARP packets on untrusted interfaces, and only forwards the packets that have valid bindings. DAI can also rate-limit the ARP packets on untrusted interfaces to prevent DoS attacks. The other options are incorrect because:
B. In a typical network, DAI should be configured to make all ports as untrusted except for the ports connecting to trusted hosts or switches, which are trusted.
C. DAI does not associate a trust state with each switch, but with each interface on the switch.
D. DAI intercepts all ARP requests and responses on untrusted ports only, not on trusted ports. References :=
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit