Which three statements about Dynamic ARP Inspection on Cisco Switches are true? (Choose three.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.CDF.
Still Valid.
Dynamic ARP Inspection (DAI) is a security feature that is available on Cisco switches to protect against ARP-based attacks, such as ARP spoofing, by verifying ARP packets against a trusted database of MAC-to-IP address bindings. Here are the explanations of each statement:
A. Dynamic ARP inspection checks ARP packets on both trusted and untrusted ports.
This statement is true. Dynamic ARP inspection verifies ARP packets on both trusted and untrusted ports. On trusted ports, the ARP packets are allowed to pass through without inspection, while on untrusted ports, the packets are inspected.
B. Dynamic ARP inspection is only supported on access ports.
This statement is false. Dynamic ARP inspection is supported on both access and trunk ports.
C. Dynamic ARP inspection checks ARP packets against the trusted database.
This statement is true. Dynamic ARP inspection verifies the MAC-to-IP address binding in ARP packets against the trusted database. If the binding is not found in the database, the ARP packet is dropped.
D. The trusted database can be manually configured using the CLI.
This statement is true. The trusted database can be manually configured using the CLI on the switch. The administrator can add or remove entries from the database as needed.
E. Dynamic ARP inspection does not perform ingress security checking.
This statement is false. Dynamic ARP inspection performs ingress security checking by verifying ARP packets as they enter the switch. It drops any ARP packets that do not match the trusted database.
F. DHCP snooping is used to dynamically build the trusted database.
This statement is false. While DHCP snooping and Dynamic ARP inspection are related features, DHCP snooping is not used to build the trusted database for Dynamic ARP inspection. Instead, the administrator manually configures the trusted database using the CLI.
In summary, statements A, C, and D are true about Dynamic ARP Inspection on Cisco switches.