The DAI feature has been implemented in the ACME switched LAN. Which three statements are
true about the dynamic ARP inspection (DAI) feature? (Select three)

A.
DAI can be performed on ingress ports only.

B.
DAI can be performed on both ingress and egress ports.

C.
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

D.
DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP
caches of hosts in the domain.

E.
DAI should be configured on all access switch ports as untrusted and on all switch ports
connected to other switches as trusted.

F.
DAI is supported on access and trunk ports only.

Explanation:
To prevent ARP spoofing or “poisoning,” a switch must ensure that only valid ARP requests and
responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests
and responses. Each intercepted ARP reply is verified for valid MAC-address-to-IP-address
bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid
devices are dropped.
DAI determines the validity of an ARP packet based on a valid MAC-address-to-IP-address
bindings database built by DHCP snooping. In addition, to handle hosts that use statically
configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs.
To ensure that only valid ARP requests and responses are relayed, DAI takes these actions: