The DAI feature has been implemented in the Company switched LAN. Which three
statements are true about the dynamic ARP inspection (DAI) feature? (Select three)

A.
DAI can be performed on ingress ports only.

B.
DAI can be performed on both ingress and egress ports.

C.
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN
ports.

D.
DAI should be enabled on the root switch for particular VLANs only in order to secure the
ARP caches of hosts in the domain.

E.
DAI should be configured on all access switch ports as untrusted and on all switch ports
connected to other switches as trusted.

F.
DAI is supported on access and trunk ports only.

Explanation:
To prevent ARP spoofing or “poisoning, ” a switch must ensure that only valid ARP requests
and responses are relayed. DAI prevents these attacks by intercepting and validating all
ARP requests and responses. Each intercepted ARP reply is verified for valid MAC-addressto-IP-address bindings before it is forwarded to a PC to update the ARP cache. ARP replies
coming from invalid devices are dropped.
DAI determines the validity of an ARP packet based on a valid MAC-address-to-IP-address
bindings database built by DHCP snooping. In addition, to handle hosts that use statically
configured IP addresses, DAI can also validate ARP packets against user-configured ARP
ACLs.
To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:
Forwards ARP packets received on a trusted interface without any checks
Intercepts all ARP packets on untrusted ports
Verifies that each intercepted packet has a valid IP-to-MAC address binding before
forwarding packets that can update the local ARP cache
Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings