DAI Flashcards
What is DAI?
Dynamic Arp Inspection. DAI makes sure that hosts are only replying to the ARP requests that they should be.
Dynamic ARP Inspection protects against a malicious actor that takes on the destination address the host is trying to reach by reading the host’s ARP broadcast message. This is done by inspecting *ARP REPLIES* against DHCP Snooping and static bindings.
How does DAI work?
As DHCP packets come through the network, the switch builds a table mapping MAC addresses to IP addresses. If a host replies to a ARP request for an IP he isn’t mapped to, the reply is dropped by the switch.
What must be enabled for DAI to work?
DHCP snooping.
When does DAI take action?
When ARP replies are TRANSMITTED, not received.
What are trusted ports?
Ports configured by the admin that DAI will not take action on.
According to best practice, all ___ should be set to trusted.
Uplink ports.
What can be used by the switch for DAI in addition to the dynamically learned DHCP addresses?
Static ARP entries configured by the admin.
List the steps to configure DAI.
1.Enable DHCP snooping. 2.Use the “ip arp inspection” command to enable DAI on each VLAN. 3.Use the “ip arp inspection” command to set your validation method (IP is standard). 4.Set your trusted ports.
In what context is DAI configured?
Globally (except when configuring trusted ports).
Which three statements are true about the dynamic ARP inspection (DAI) feature? (Choose three)
A. DAI can be performed on ingress ports only.
B. DAI can be performed on both ingress and egress ports.
C. DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
D. DAI should be enabled on the root switch for particular VLANs only in order to secure the ARP caches of hosts in the domain.
E. DAI should be configured on all access switch ports as untrusted and on all switch ports connected to other switches as trusted.
F. DAI is supported on access and trunk ports only.
Answer: A C E
Explanation
DAI is an ingress security feature and does not perform any egress checking -> A is correct
DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports -> C is correct.
We should configure access switch ports as untrusted because in most cases an attacker will use these ports. By default, all interfaces are untrusted. We only need to configure all switch ports connected to other switches as trusted -> E is correct.
(Reference: http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_2/security/configuration/guide/n1000v_security_13arpinspect.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.2_25_see/configuration/guide/swdynarp.html)
What does the global configuration command “ip arp inspection vlan 10-12,15″ accomplish?
A. Discards ARP packets with invalid IP-to-MAC address bindings on trusted ports
B. Validates outgoing ARP requests for interfaces configured on VLAN 10,11,12, or 15
C. Intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings
D. Intercepts all ARP requests and responses on trusted ports
Answer: C
Explanation
The function of DAI is:
+ Intercepts all ARP requests and responses on untrusted ports
+ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
+ Drops invalid ARP packets
On untrusted ports, the switch captures all ARP packets (both request and reply) and then validates the Source Protocol and Source Hardware address values against the snooping table database for that port.
If the MAC address and IP address and the corresponding port do not match the snooping database entry, the ARP packets are dropped. DAI thus prevents the node from specifying a non-legitimate IP-MAC address binding which differs from what was given by the DHCP server.
Refer to the exhibit. Dynamic ARP inspection (DAI) is enabled on switch SW_A only. Both Host_A and Host_B acquire their IP addresses from the DHCP server connected to switch SW_A. What would the outcome be if Host_B initiated an ARP spoof attack toward Host_A?
Dynamic_ARP_Inspection_DHCP.jpg
A. The spoof packets will be inspected at the ingress port of switch SW_A and will be permitted.
B. The spoof packets will not be inspected at the ingress port of switch SW_A and will be permitted.
C. The spoof packets will not be inspected at the ingress port of switch SW_A and will be dropped.
D. The spoof packets will be inspected at the ingress port of switch SW_A and will be dropped.
Answer: B
Explanation
Port Fa0/23 of SW_A is configured as trusted port while DAI is not enabled on SW_B so if Host_B sends spoof packets, SW_B and SW_A will not inspect and forward them.
Which three statements are true about DAI? (Choose three)
A. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the DHCP Snooping database.
B. DAI forwards all ARP packets received on a trusted interface without any checks.
C. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP address bindings stored in the CAM table.
D. DAI forwards all ARP packets received on a trusted interface after verifying and inspecting the packet against the DAI table.
E. DAI intercepts all ARP packets on untrusted ports
F. DAI is used to prevent against a DHCP Snooping attack.
Answer: A B E
Explanation
Same as Question 2
Which switch feature determines validity based on IP-to-MAC address bindings that are stored in a trusted database?
Dynamic ARP Inspection
What is DAI?
Dynamic arp inspection