312-50V13 Question #66: Real Exam Question with Answer & Explanation

Question

DHCP snooping is a great solution to prevent rogue DHCP servers on your network. Which security feature on switchers leverages the DHCP snooping database to help prevent man-in-the- middle attacks?

Options

• ASpanning tree
• BDynamic ARP Inspection (DAI)
• CPort security
• DLayer 2 Attack Prevention Protocol (LAPP)

Explanation

Dynamic ARP Inspection (DAI) and DHCP Snooping

Dynamic ARP Inspection (DAI) directly leverages the DHCP snooping binding database to validate ARP packets on a network. When a host sends an ARP request or reply, DAI checks the source IP-to-MAC address mapping against the trusted entries stored in the DHCP snooping table - if the mapping doesn't match, the packet is dropped, effectively preventing ARP poisoning/man-in-the-middle attacks.

Why the distractors are wrong:

• Spanning Tree (A) is a loop-prevention protocol that manages redundant Layer 2 paths - it has no relationship to the DHCP snooping database or ARP inspection.
• Port Security (C) limits which MAC addresses can connect to a switch port, but it does not reference the DHCP snooping database or protect against ARP-based attacks.
• Layer 2 Attack Prevention Protocol / LAPP (D) is a fabricated term and does not exist as a real networking protocol - if you see it on an exam, it's always a distractor.

Memory Tip: Think of it as a "chain of trust" - DHCP Snooping builds the trusted database → DAI Authenticates IP-to-MAC mappings using it. Both features work together, so DHCP → DAI flows naturally in alphabetical order of deployment!

No community discussion yet for this question.