Cisco Certified Internetwork Expert (CCIE) Practice Test

Which three statements about Dynamic ARP inspection on Cisco switches are true? (Choose three)

• A. The trusted database can be manually configured using the CLI
• B. Dynamic ARP inspection is supported only on access ports
• C. Dynamic ARP inspection does not perform ingress security checking
• D. DHCP snooping is used to dynamically build the trusted database

The correct answer is: The trusted database can be manually configured using the CLI

Dynamic ARP Inspection (DAI) is a security feature that protects against ARP spoofing attacks by ensuring that only valid ARP requests and responses are relayed. It operates by checking ARP packets against a trusted database. The first statement is accurate because the trusted database can indeed be manually configured using the Command-Line Interface (CLI). This allows administrators to specify which ports or MAC addresses are considered trustworthy, thereby providing a layer of control over which ARP packets will be permitted on the network. The second statement is misleading since Dynamic ARP Inspection is supported not just on access ports, but can also be configured on trunk ports that connect to trusted devices. This allows for broader implementation of DAI in various network topologies. The third statement is also not correct because Dynamic ARP Inspection does perform ingress security checking; it examines incoming ARP packets against the information gathered from DHCP snooping or manually configured static entries to determine their validity before allowing them onto the network. The fourth statement highlights a key aspect of DAI. It does utilize DHCP snooping to build the trusted database dynamically. As devices obtain their IP addresses via DHCP, their MAC addresses are tracked, which helps in populating the trusted database that DAI uses to validate ARP