PrepAway - Latest Free Exam Questions & Answers

Which of the following statements is not true regarding DAI?

Which of the following statements is not true regarding DAI?

A. It considers all ports as untrusted by default.

B. It does not perform packet validation on trusted interfaces.

C. It intercepts both ARP requests and responses.

D. It performs both ingress and egress packet validation.

E. It uses DHCP snooping to dynamically populate its IP-to-MAC address binding database.

Explanation:
Dynamic ARP Inspection (DAI) does not perform both ingress and egress packet validation. DAI enhances security by intercepting, logging, and discarding Address Resolution Protocol (ARP) packets that have invalid IP-to-Media Access Control (MAC) address bindings. DAI considers all interfaces as untrusted by default and determines the validity of an ARP packet received on an untrusted interface based on legitimate IP-to-MAC address bindings stored in the Dynamic Host Configuration Protocol (DHCP) snooping database and in ARP access control list (ACL) entries.

When DHCP snooping is configured, the IP-to-MAC address binding table is dynamically populated as DHCP servers on trusted ports respond to DHCP client requests. This information is then compared against ARP request and response messages that enter untrusted switch ports. If an ARP message contains invalid information that conflicts with the database, the ARP message is dropped and a log message is created.

DAI performs ARP packet validation only on untrusted interfaces. On trusted interfaces, ARP messages are not intercepted, validated, or logged.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html#wp1038527 CCNP and CCIE Security Core SCOR 350-701 Official Cert Guide, Chapter 6: Infrastructure Security: Layer 2 Security Toolkit


Leave a Reply