The DHCP snooping database resides on router R1, and dynamic ARP inspection is configured only on switch SW2. Which ports must be configured as untrusted so that dynamic ARP inspection operates normally?
ums008 gave a good explanation. Typically all access ports, where the endpoints reside, are untrusted. We do not want to see DHCP offer from a rogue client. On the other hand, we want to allow DHCP offer from the legitimate DHCP server. As it is about the offer, it would be enough to trust the ports where the offer arrives. In case of uncertainty, we can trust all trunk ports with DHCP traffic, and the port where the DHCP server is sitting.
Typical Cisco SHIT question, you enable them on SVI as best practice. but if we decode this then it means all access ports in that vlan where we dont want to see a dhcp server.
So B is the correct answer.
B is correct:
In a typical network configuration for DAI, all ports connected to host ports are configured as untrusted, while all ports connected to switches are configured as trusted. With this configuration, all ARP packets entering the network from a given switch will have passed the security check.
Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity. Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network.
Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
This is not a typical DAI network as DAI is not enabled on all access ports with hosts (means SW1 and SW3 ). Therefore , you need to activate DAI on Trunk ports (fully supported , and you need to increase the DAI inspection limit to avoid bottlenecks).
So its D correct, not B.
D - is correct:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html#:~:text=Dynamic%20ARP%20Inspection%20%28DAI%29%20is%20a%20security%20feature,capability%20protects%20the%20network%20from%20certain%20%E2%80%9Cman-in-the-middle%E2%80%9D%20attacks.
To handle cases in which some switches in a VLAN run DAI and other switches do not, the interfaces connecting such switches should be configured as untrusted. To validate the bindings of packets from non-DAI switches, however, the switch running DAI should be configured with ARP ACLs. When it is not feasible to determine such bindings, switches running DAI should be isolated from non-DAI switches at Layer 3.
This question confused me, because how is the SW2 switch going to use the DHCP Snooping database from R1, to do DAI? The snooping database has to be local to the switch. But if you don't think about that part and only focus on SW2 and DAI. Ports 2,3 and 6 would have to be untrusted.
But wouldn't that also hinder traffic from the other switches?
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.350-701 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NullNull88
2 months, 3 weeks agoPremium_Pils
2 months, 3 weeks agoIETF1
10 months, 4 weeks agofdl543
1 year, 3 months agoums008
1 year, 3 months agojpapas
1 year, 3 months agoJessie45785
1 year, 5 months agounclemonkeyboy
1 year, 5 months ago