Dynamic ARP Inspection DAI
Here you will find answers to Dynamic ARP Inspection (DAI) Questions
Question 1
Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)
A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.
Answer: A C E
Explanation
DAI is an ingress security feature and does not perform any egress checking -> A is correct
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.
We should configure access switch ports as untrusted because in most cases an attacker will use these ports. By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switches as trusted -> E is correct.
Question 2
What does the global configuration command “ip arp inspection vlan 10-12,15″ accomplish?
A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15
C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports
Answer: C
Explanation
The function of DAI is:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets
On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.
Question 3
Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A?
A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.
B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.
C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.
D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.
Answer: B
Explanation
Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoof packets, SW_B and SW_A will not inspect and forward them.
Question 4
Which three statements are true about DAI? (Choose three)
A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B. DAI forwards all ARP packets received on a trusted interface without any checks.
C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E. DAI intercepts all ARP packets on untrusted ports
F. DAI is used to prevent against a DHCP Snooping attack.
Answer: A B E
Explanation
Same as Question 2
@certprepare: Thank you for clear explanations!!!
Th’s a lot!!!
thnx bro
Hi Guys,
Seeing the answer right in front your eyes before making selection is annoying. So i grabs all of the questions on this site and put them into VCE file to make my life easier. Be sure to check back CertPrepare site regularly for updates.
Here is the file: http://www.4shared.com/file/C5hmKPbb/CCNP_642-813_CertPrepare-by_Hu.html
Best of luck !!!
Q1 answer E
“…and on all switch ports connected to other switches as trusted”
Why would you configure on switchports connected to other switches as trusted when we know that DAI is not done on trusted interfaces, traffic is simply forwarded?
Per the cisco documentation that you posted links for:
“The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets. ”
Please help on this.
Nice!
@Techgirl
Hi, when refering to DAI, if you check all access ports, you can trust on uplink ports! it´s not usefull to increase the processing on this kind of ports if you examine all the access one´s!
wanting to write on the 25 October.
Yes, I agree the complete synatx is as you say, but if you execute show mac-address on a cisco catalyst, this is what happens:B1-S1#show mac-address Mac Address Table -Vlan Mac Address Type Ports – 1 0060.5cb0.9801 DYNAMIC Fa0/5B1-S1#For the ARP answer to be right, the mac should be in the management vlan of the switch, and the switch should have an enabled IP address. If these two conditions aren’t accomplished, the exhibit would be this one:B1-S1#show mac-address Mac Address Table -Vlan Mac Address Type Ports – 1 0060.5cb0.9801 DYNAMIC Fa0/5B1-S1#Regards.
great summry for DIA ,
thnkx soo much
can anyone please suggest a good simulation software for free? i would be grateful …
Q3 in test today today.
@khan get a packet tracer from 4shared.com website …