During a red-team assessment you successfully poisoned the ARP caches of multiple VLAN hosts and captured their clear-text credentials. The network team wants a built-in switch control that will validate every ARP packet against the DHCP-snooping binding table and automatically drop forged replies, without requiring any software changes on endpoints. Which switch feature should they enable as a countermeasure?
Dynamic ARP Inspection (DAI) is designed specifically to stop ARP poisoning and the sniffing attacks that rely on it. When DHCP snooping is enabled, the switch already maintains a trusted database of legitimate IP-to-MAC bindings that came from the DHCP server. DAI compares each inbound ARP request and reply against this database; frames that do not match are discarded, preventing attackers from inserting bogus MAC addresses into a victim's ARP cache and diverting traffic for sniffing.
IP Source Guard also references the DHCP-snooping table, but it controls which IP addresses are allowed to send traffic on a port; it does not inspect or block spoofed ARP replies. BPDU Guard protects against spanning-tree attacks, and port security with sticky MAC limits the number of MAC addresses on a port but does not verify the legitimacy of ARP messages. Therefore, only Dynamic ARP Inspection meets the stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of Dynamic ARP Inspection (DAI)?
Open an interactive chat with Bash
How does DHCP Snooping support Dynamic ARP Inspection (DAI)?
Open an interactive chat with Bash
What are common attacks prevented by Dynamic ARP Inspection?
Open an interactive chat with Bash
What is Dynamic ARP Inspection (DAI)?
Open an interactive chat with Bash
How does DHCP Snooping support Dynamic ARP Inspection?
Open an interactive chat with Bash
Why does Dynamic ARP Inspection (DAI) work better than IP Source Guard for preventing ARP spoofing?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .