Tweet
SWITCH (642-813): Dynamic ARP Inspection DAI
Question 1
Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)
A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.
Answer: A C E
Explanation
DAI is an ingress security feature and does not perform any egress checking -> A is correct
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.
We should configure access switch ports as untrusted because in most cases an attacker will use these ports. By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switches as trusted -> E is correct.
Question 2
What does the global configuration command “ip arp inspection vlan 10-12,15″ accomplish?
A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15
C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports
Answer: C
Explanation
The function of DAI is:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets
On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.
Question 3
Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A?
A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.
B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.
C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.
D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.
Answer: B
Explanation
Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoof packets, SW_B and SW_A will not inspect and forward them.
Question 4
Which three statements are true about DAI? (Choose three)
A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B. DAI forwards all ARP packets received on a trusted interface without any checks.
C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E. DAI intercepts all ARP packets on untrusted ports
F. DAI is used to prevent against a DHCP Snooping attack.
Answer: A B E
Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)
A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.
Answer: A C E
Explanation
DAI is an ingress security feature and does not perform any egress checking -> A is correct
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.
We should configure access switch ports as untrusted because in most cases an attacker will use these ports. By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switches as trusted -> E is correct.
Question 2
What does the global configuration command “ip arp inspection vlan 10-12,15″ accomplish?
A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15
C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports
Answer: C
Explanation
The function of DAI is:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets
On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.
Question 3
Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A?
B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.
C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.
D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.
Answer: B
Explanation
Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoof packets, SW_B and SW_A will not inspect and forward them.
Question 4
Which three statements are true about DAI? (Choose three)
A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B. DAI forwards all ARP packets received on a trusted interface without any checks.
C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E. DAI intercepts all ARP packets on untrusted ports
F. DAI is used to prevent against a DHCP Snooping attack.
Answer: A B E