312-50V13 · Question #66
DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the- middle attacks?
The correct answer is B. Dynamic ARP Inspection (DAI). Dynamic ARP Inspection (DAI) and DHCP Snooping Dynamic ARP Inspection (DAI) directly leverages the DHCP snooping binding database to validate ARP packets on a network. When a host sends an ARP request or reply, DAI checks the source IP-to-MAC address mapping against the trusted e
Question
Options
- ASpanning tree
- BDynamic ARP Inspection (DAI)
- CPort security
- DLayer 2 Attack Prevention Protocol (LAPP)
How the community answered
(40 responses)- A3% (1)
- B88% (35)
- C3% (1)
- D8% (3)
Explanation
Dynamic ARP Inspection (DAI) and DHCP Snooping
Dynamic ARP Inspection (DAI) directly leverages the DHCP snooping binding database to validate ARP packets on a network. When a host sends an ARP request or reply, DAI checks the source IP-to-MAC address mapping against the trusted entries stored in the DHCP snooping table - if the mapping doesn't match, the packet is dropped, effectively preventing ARP poisoning/man-in-the-middle attacks.
Why the distractors are wrong:
- Spanning Tree (A) is a loop-prevention protocol that manages redundant Layer 2 paths - it has no relationship to the DHCP snooping database or ARP inspection.
- Port Security (C) limits which MAC addresses can connect to a switch port, but it does not reference the DHCP snooping database or protect against ARP-based attacks.
- Layer 2 Attack Prevention Protocol / LAPP (D) is a fabricated term and does not exist as a real networking protocol - if you see it on an exam, it's always a distractor.
Memory Tip: Think of it as a "chain of trust" - DHCP Snooping builds the trusted database → DAI Authenticates IP-to-MAC mappings using it. Both features work together, so DHCP → DAI flows naturally in alphabetical order of deployment!
Topics
Community Discussion
No community discussion yet for this question.