DAI Flashcards

1
Q

What is DAI?

A

Dynamic Arp Inspection. DAI makes sure that hosts are only replying to the ARP requests that they should be.

Dynamic ARP Inspection protects against a malicious actor that takes on the destination address the host is trying to reach by reading the host’s ARP broadcast message. This is done by inspecting *ARP REPLIES* against DHCP Snooping and static bindings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How does DAI work?

A

As DHCP packets come through the network, the switch builds a table mapping MAC addresses to IP addresses. If a host replies to a ARP request for an IP he isn’t mapped to, the reply is dropped by the switch.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What must be enabled for DAI to work?

A

DHCP snooping.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When does DAI take action?

A

When ARP replies are TRANSMITTED, not received.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are trusted ports?

A

Ports configured by the admin that DAI will not take action on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

According to best practice, all ___ should be set to trusted.

A

Uplink ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can be used by the switch for DAI in addition to the dynamically learned DHCP addresses?

A

Static ARP entries configured by the admin.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List the steps to configure DAI.

A

1.Enable DHCP snooping. 2.Use the “ip arp inspection” command to enable DAI on each VLAN. 3.Use the “ip arp inspection” command to set your validation method (IP is standard). 4.Set your trusted ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In what context is DAI configured?

A

Globally (except when configuring trusted ports).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)

A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.

A

Answer: A C E

Explanation

DAI is an ingress security feature and does not perform any egress checking -> A is correct

DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.

We should configure access switch ports as untrusted because in most cases an attacker will use these ports. By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switches as trusted -> E is correct.

(Reference: http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_13arpinspect.html

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does the global configuration command “ip arp inspection vlan 10-12,15″ accomplish?

A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15
C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports

A

Answer: C

Explanation

The function of DAI is:

+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets

On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A?

Dynamic_ARP_Inspection_DHCP.jpg

A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.
B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.
C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.
D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.

A

Answer: B

Explanation

Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoof packets, SW_B and SW_A will not inspect and forward them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which three statements are true about DAI? (Choose three)

A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B. DAI forwards all ARP packets received on a trusted interface without any checks.
C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E. DAI intercepts all ARP packets on untrusted ports
F. DAI is used to prevent against a DHCP Snooping attack.

A

Answer: A B E

Explanation

Same as Question 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?

A

Dynamic ARP Inspection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is DAI?

A

Dynamic arp inspection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How does DAI work?

A

all ARP packets that arrive on untrusted ports are inspected.

18
Q

What happens when an ARP reply is received on an untrusted port?

A

The switch checks the MAC and IP reported in the reply against trusted values. If they don’t match, it is dropped and logged

19
Q

How does a DAI enabled switch gather trusted ARP info?

A

from the DHCP snooping database or from static entries

20
Q

On what scope is DAI enabled?

A

per VLAN

21
Q

Which ports should you consider trusted for DAI?

A

those that connect to other switches

22
Q

How do you configure DAI for statically configured IP addresses?

A

by an ARP access list that defines the permitted bindings

23
Q

what does the static keyword do when applying an arp ACL?

A

prevents the dhcp binding DB from being checked.

24
Q

Can ARP replies be checked

A

yes

25
Q

what does the src-mac option do when checking ARP replies

A

checks the source MAC in the header against the sender MAC in the ARP reply

26
Q

what does the dst-mac option do when checking ARP replies

A

checks the destination MAC in the header against the target MAC in the ARP reply

27
Q

what does the ip option do when checking ARP replies

A

checks the sender’s ip in all arp requests and checks the sender’s IP against target IP in all replies

28
Q

What configuration command enables *DAI*?

A

Sw1(config)# ip arp inspection vlan <vlan-id></vlan-id>

29
Q

What useful show commands verifies *DAI*?

A

Sw1# show ip arp inspection