Home > Dynamic ARP Inspection DAI

Dynamic ARP Inspection DAI

November 16th, 2019 Go to comments

Question 1

Explanation

Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before it updates the local ARP cache or before it forwards the packet to the appropriate destination
+ Drops invalid ARP packets

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

Question 2

Explanation

This example shows how to enable DAI on VLANs 10 through 12:

Router# configure terminal
Router(config)# ip arp inspection vlan 10-12

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html

Question 3

Question 4a

Explanation

Note: To configure DHCP snooping with Dynamic ARP Inspection we need to add the command “ip arp inspection vlan vlan-id” in global configuration mode and “ip arp inspection trust” in interface mode.

Question 4b

Question 5

Explanation

Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

Reference: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

Question 6

Question 7

Question 8

Question 9

Comments
  1. Anonymous
    February 4th, 2020

    Q4b answer C is wrong, it would be only C:

    Switch(config)#ip arp inspection ?
    filter Specify ARP acl to be applied
    log-buffer Log Buffer Configuration
    validate Validate addresses
    vlan Enable/Disable ARP Inspection on vlans

    Q7 answer A have to correct, it would be “ip arp inspection validate ip”

  2. NANA
    February 15th, 2020

    q4 C and D are correct

    ===========
    SW1(config-if)#ip arp inspection trust ?

    ===========
    SW1(config)#ip arp inspection ?
    filter Specify ARP acl to be applied
    log-buffer Log Buffer Configuration
    validate Validate addresses
    vlan Enable/Disable ARP Inspection on vlans

    SW1(config)#ip arp inspection vlan ?
    WORD vlan range, example: 1,3-5,7,9-11

    SW1(config)#ip arp inspection vlan 10 ?
    logging Configure type of packets to be logged

    =============

  1. No trackbacks yet.