Which of the following describes the function of Dynamic ARP Inspection (DAI) in network security?
Correct Answer: B
Detailed Explanation: Understanding ARP Spoofing (ARP Poisoning): ARP spoofing (or ARP poisoning) is a type of attack that exploits the Address Resolution Protocol (ARP) to manipulate the MAC address-to-IP address mappings in a network. Attackers can use ARP spoofing to: Man-in-the-Middle Attacks: Redirect traffic intended for a legitimate host through the attacker's machine, allowing the attacker to eavesdrop, intercept, or modify data. Denial of Service (DoS): Disrupt network communication by associating incorrect MAC addresses with IP addresses, preventing hosts from reaching their intended destinations. Session Hijacking: Steal active sessions by intercepting traffic and impersonating legitimate hosts. How ARP Spoofing Works: ARP is a protocol used to resolve IP addresses to MAC addresses on a local network. Hosts broadcast ARP requests to find the MAC address associated with a specific IP address. Any host can respond to an ARP request with an ARP reply, even if they are not the intended recipient. ARP caches on hosts are updated based on received ARP replies, without strong validation. This is the vulnerability exploited by ARP spoofing. An attacker can send unsolicited (gratuitous) ARP replies with forged MAC address-to-IP address mappings to poison the ARP caches of other hosts and switches. Dynamic ARP Inspection (DAI) to the Rescue: DAI is a Layer 2 security feature on switches that mitigates ARP spoofing attacks by: Validating ARP Packets: DAI intercepts ARP packets (both ARP requests and ARP replies) on untrusted ports. DHCP Snooping Binding Database Reliance: DAI relies on the DHCP snooping binding database. This database contains a list of valid IP-to-MAC address bindings learned through DHCP snooping (trusted ports are expected to lead to legitimate DHCP servers that populate this database). ARP Validation Against Binding Database: DAI compares the source IP and MAC addresses in intercepted ARP packets against entries in the DHCP snooping binding database. Valid ARP Packets: If an ARP packet's source IP and MAC address match a valid entry in the DHCP snooping binding database (or if the packet is received on a trusted port), DAI forwards the ARP packet. These are considered legitimate ARP packets. Invalid ARP Packets: If an ARP packet's source IP and MAC address do not match a valid binding in the DHCP snooping database (and the packet is received on an untrusted port), DAI considers it a potentially spoofed ARP packet and drops it. This prevents the ARP poisoning attack. Trusted and Untrusted Ports in DAI: Like DHCP Snooping, DAI also uses the concept of trusted and untrusted ports. Trusted Ports: Ports connected to legitimate DHCP servers and other trusted infrastructure components. ARP packets received on trusted ports are generally not inspected by DAI. Untrusted Ports: Ports connected to end-user devices. ARP packets received on untrusted ports are subjected to DAI inspection and validation. Why Option B is Correct: Accurately Describes DAI's Purpose: Option B correctly defines DAI's function as mitigating ARP spoofing by validating ARP packets against the DHCP snooping binding database. This is the core functionality and security benefit of DAI. Why Other Options are Incorrect: A. To prevent MAC address spoofing attacks by validating the source MAC address in Ethernet frames. While DAI does involve MAC address validation, its primary focus is on ARP packets and preventing ARP spoofing, not general MAC address spoofing in all Ethernet frames. MAC address spoofing prevention in general can be addressed by other features like port security or 802.1X authentication, but DAI specifically targets ARP vulnerabilities. C. To filter traffic based on source and destination IP addresses, ports, and protocols, acting as a Layer 3 firewall. This describes the function of an Access Control List (ACL) or a firewall, not DAI. DAI operates at Layer 2 and specifically focuses on ARP packet validation, not general Layer 3 traffic filtering based on IP addresses, ports, or protocols. ACLs are used for Layer 3/4 filtering, while DAI is for Layer 2 ARP security. D. To prevent DHCP starvation attacks by limiting the rate of DHCP Discover messages from untrusted ports. This describes the function of DHCP Snooping rate limiting or DHCP throttling, not DAI. While DAI and DHCP Snooping often work together, they are distinct features. DHCP Snooping can include rate limiting to prevent DHCP starvation (where attackers flood the DHCP server with requests to exhaust IP addresses), but DAI's core function is ARP spoofing prevention. In Conclusion: DAI is a crucial Layer 2 security feature that specifically protects against ARP spoofing attacks. It achieves this by validating ARP packets against the DHCP snooping binding database, ensuring that only legitimate ARP mappings are propagated in the network. Understanding DAI and its reliance on DHCP snooping is essential for CCNA-level security knowledge and for building robust and secure Layer 2 networks. This question tests your understanding of the specific security threat DAI addresses and how it works in conjunction with DHCP snooping.
This CCNA practice question helps students prepare for Cisco networking certification exams by testing knowledge of network fundamentals, routing, switching, and network security concepts.