Dynamic ARP Inspection is enabled only on switch SW_A.
Host_A and Host_B acquire their IP addresses from the DHCP server connected to
switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward
Host_A?
A.
The spoof packets are inspected at the ingress port of switch SW_A and are permitted.
B.
The spoof packets are inspected at the ingress port of switch SW_A and are dropped.
C.
The spoof packets are not inspected at the ingress port of switch SW_A and are
permitted.
D.
The spoof packets are not inspected at the ingress port of switch SW_A and are dropped.
Explanation:
When configuring DAI, follow these guidelines and restrictions:
+ DAI is an ingress security feature; it does not perform any egress checking.
+ DAI is not effective for hosts connected to routers that do not support DAI or that do not
have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2
broadcast domain, separate the domain with DAI checks from the one with no checking. This
action secures the ARP caches of hosts in the domain enabled for DAI.
+ DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC
address bindings in incoming ARP requests and ARP responses. Make sure to enable
DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.
+ When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit
or to deny packets.
+ DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
In our example, since Company2 does not have DAI enabled (bullet point 2 above) packets
will not be inspected and they will be permitted.
Reference
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dynarp.html