PrepAway - Latest Free Exam Questions & Answers

Which of the following should you enable to help protect a network from man-in-the-middle attacks?

Which of the following should you enable to help protect a network from man-in-the-middle attacks?

A. STP

B. DAI

C. PVLAN

D. port security

Explanation:
Of the available choices, you should enable Dynamic ARP Inspection (DAI) to help protect a network from man-in-the-middle attacks. DAI enhances security by intercepting, logging, and discarding Address Resolution Protocol (ARP) packets that have invalid IP-to-Media Access Control (MAC) address bindings. DAI determines the validity of an ARP packet based on legitimate IP-to-MAC address bindings stored in the Dynamic Host Configuration Protocol (DHCP) snooping database. When DHCP snooping is configured, switch ports are categorized as trusted or untrusted. Valid DHCP servers and switches are identified as residing on trusted ports, and all other hosts are identified as residing on untrusted ports. As untrusted hosts receive leased IP addresses, the IP-to-MAC address bindings are stored in the DHCP snooping database. DAI uses this database to verify the IP and MAC addresses of an ARP reply that comes through an untrusted port. If the ARP reply contains invalid information that conflicts with the database, the ARP reply is dropped and a log message is created.

Spanning Tree Protocol (STP) was not designed to prevent malicious attacks against a network. STP is a Layer 2 protocol used to prevent loops in a switched network that is designed with redundant paths. There can be only one active path at any given time between any two endpoints on an Ethernet network. If multiple paths between the same two endpoints exist at the same time, switching loops can occur. STP activates and deactivates links to allow the network to reroute traffic around a failed link.

Port security controls access to a port based on MAC addresses, but it does not prevent man-in-the-middle attacks. A secured port is restricted to a user-defined group of MAC addresses. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the defined group of addresses. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port, you can also define the size of the address table for the port.

A private VLAN (PVLAN) can communicate with a single primary VLAN and multiple secondary VLANs. Secondary VLANs are configured as one of two types: isolated or community. A host on an isolated PVLAN can reach a device on a promiscuous port on the primary VLAN, but it cannot reach any other hosts on the PVLAN. A host on a community PVLAN can reach the primary VLAN as well as communicate with other hosts on the same community PVLAN. PVLANs are significant only on one switch, and their existence is not acknowledged by VLAN Trunking Protocol (VTP), so each PVLAN must be configured locally on every switch that interconnects them. PVLANs can be used to segregate traffic but cannot be used to prevent man-in-the-middle attacks.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SXF/native/configuration/guide/swcg/dynarp.html#wp1082194
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_2_2_1/troubleshooting/configuration/guide/n1000v_trouble/n1000v_trouble_19dhcp.html


Leave a Reply