Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:04,480 --> 00:00:07,880
This is a free, complete course for the CCNA.
2
00:00:07,879 --> 00:00:11,789
If you like these videos, please subscribe\n
3
00:00:11,789 --> 00:00:16,649
Also, please like and leave a comment, and\n
4
00:00:19,530 --> 00:00:23,270
In this video we’ll cover Dynamic ARP Inspection.
5
00:00:23,269 --> 00:00:29,179
Dynamic ARP Inspection, also called DAI, is\n
6
00:00:29,179 --> 00:00:35,689
must be able to configure Layer 2 security\n
7
00:00:36,719 --> 00:00:42,119
We covered DHCP snooping and port security\n
8
00:00:45,460 --> 00:00:49,980
Dynamic ARP inspection is a security feature\n
9
00:00:49,979 --> 00:00:54,659
a similar manner to how DHCP snooping inspects\nDHCP messages.
10
00:00:54,659 --> 00:00:59,409
So, this video will follow a similar structure\n
11
00:00:59,409 --> 00:01:02,349
Here’s what we’ll cover in this video.
12
00:01:02,350 --> 00:01:05,530
First, what is dynamic ARP inspection?
13
00:01:05,530 --> 00:01:09,170
I’ll give a brief overview, and then introduce\nhow it works.
14
00:01:09,170 --> 00:01:14,579
I’ll show you what attacks it can be used\n
15
00:01:14,578 --> 00:01:18,218
we look into more details of its operations.
16
00:01:18,218 --> 00:01:22,438
Watch until the end of the video for a bonus\n
17
00:01:22,438 --> 00:01:28,699
ExSim for CCNA, my recommended practice exams\nfor the CCNA.
18
00:01:28,700 --> 00:01:32,879
Before dynamic ARP inspection, let’s quickly\nreview ARP itself.
19
00:01:32,879 --> 00:01:38,358
ARP is used to learn the MAC address of another\n
20
00:01:38,358 --> 00:01:43,658
For example, a PC will use ARP to learn the\n
21
00:01:45,688 --> 00:01:50,098
It will also use ARP to learn the MAC address\n
22
00:01:50,099 --> 00:01:56,659
Typically it’s a two message exchange, consisting\n
23
00:01:58,959 --> 00:02:06,228
For example, PC1 wants to send a DNS query\n
24
00:02:06,228 --> 00:02:11,060
It thinks, 8.8.8.8 is outside of my local\n
25
00:02:13,280 --> 00:02:21,239
However, PC1 doesn’t know the MAC address\n
26
00:02:21,239 --> 00:02:27,640
So, it will broadcast this ARP request message,\n
27
00:02:27,639 --> 00:02:32,768
Every device in the LAN will receive the message,\n
28
00:02:32,769 --> 00:02:35,530
broadcast MAC address of all Fs.
29
00:02:35,530 --> 00:02:39,609
Let’s look at that ARP request in wireshark.
30
00:02:39,609 --> 00:02:45,010
The ARP message is encapsulated in an Ethernet\n
31
00:02:45,009 --> 00:02:50,179
So, in the previous slide when I wrote ‘source\n
32
00:02:50,180 --> 00:02:55,680
message, I’m actually referring to these\n
33
00:02:55,680 --> 00:03:00,629
Specifically the sender IP address, which\n
34
00:03:00,628 --> 00:03:04,818
address, which is the destination IP address.
35
00:03:04,818 --> 00:03:09,539
ARP messages are only broadcast within the\n
36
00:03:09,539 --> 00:03:14,229
networks, so there’s no need to encapsulate\n
37
00:03:14,229 --> 00:03:20,858
Keep these fields in mind, sender MAC and\n
38
00:03:20,859 --> 00:03:25,600
they can play a role in the dynamic ARP inspection\nprocess.
39
00:03:25,599 --> 00:03:31,318
Because its IP address was in the ARP message’s\n
40
00:03:31,318 --> 00:03:38,119
an ARP reply to PC1 so that PC1 can learn\n
41
00:03:40,098 --> 00:03:46,259
Note that R1 also added an entry for PC1 in\n
42
00:03:46,259 --> 00:03:51,739
ARP request from PC1, so R1 doesn’t need\n
43
00:03:53,479 --> 00:03:57,340
Here’s that ARP reply in Wireshark.
44
00:03:57,340 --> 00:04:03,188
The sender IP and MAC fields are R1’s addresses,\n
45
00:04:05,299 --> 00:04:07,890
Pause the video if you want to check out the\nmessage.
46
00:04:07,889 --> 00:04:15,888
So, PC1 is now able to insert R1’s MAC address\n
47
00:04:15,889 --> 00:04:19,720
then send the message to R1 which will forward\n
48
00:04:19,720 --> 00:04:24,020
So, that’s the basic ARP process.
49
00:04:24,019 --> 00:04:28,180
But there is also something called gratuitous\n
50
00:04:29,180 --> 00:04:36,269
A gratuitous ARP message is an ARP reply that\n
51
00:04:36,269 --> 00:04:39,959
It is sent to the broadcast MAC address, all\nFs.
52
00:04:39,959 --> 00:04:42,870
Note that standard ARP replies are not broadcast.
53
00:04:42,870 --> 00:04:48,750
They are unicast messages sent to the device\n
54
00:04:48,750 --> 00:04:52,930
Gratuitous ARP allows other devices on the\n
55
00:04:52,930 --> 00:04:58,728
the device that sent the gratuitous ARP, and\n
56
00:04:58,728 --> 00:05:04,019
This depends on the device maker, but some\n
57
00:05:04,019 --> 00:05:10,389
messages when an interface is enabled, IP\n
58
00:05:11,389 --> 00:05:16,639
So, for example if PC2’s network interface\n
59
00:05:16,639 --> 00:05:20,490
reply, and it is flooded in the local network.
60
00:05:20,490 --> 00:05:25,370
Now the other devices will add an ARP entry\n
61
00:05:25,370 --> 00:05:28,810
also add entries for PC2 in their MAC address\ntables.
62
00:05:28,810 --> 00:05:34,180
We’ll come back to the concept of gratuitous\n
63
00:05:35,839 --> 00:05:39,250
Okay, let’s move on to Dynamic ARP Inspection.
64
00:05:39,250 --> 00:05:44,310
DAI is a feature of switches that is used\n
65
00:05:47,649 --> 00:05:50,609
All other messages will be unaffected.
66
00:05:50,610 --> 00:05:54,870
Just like DHCP snooping, all ports are untrusted\nby default.
67
00:05:54,870 --> 00:06:00,689
Typically, all ports connected to other network\n
68
00:06:00,689 --> 00:06:06,228
should be configured as trusted, while interfaces\n
69
00:06:06,228 --> 00:06:11,969
So, in this network that means we should configure\n
70
00:06:13,839 --> 00:06:19,948
Now, SW2’s interface connected to SW1 could\n
71
00:06:19,949 --> 00:06:22,430
downlink leading toward the end hosts.
72
00:06:24,189 --> 00:06:29,269
In Cisco’s documentation they recommend\n
73
00:06:29,269 --> 00:06:34,779
routers, etc. are configured as trusted, so\n
74
00:06:34,779 --> 00:06:41,079
Here’s how DAI works, and you’ll see it’s\n
75
00:06:43,788 --> 00:06:49,039
Because it arrives on an untrusted port, SW1\n
76
00:06:49,040 --> 00:06:53,500
It determines the message is OK, so it forwards\nit to SW2.
77
00:06:53,500 --> 00:06:58,519
In this case SW2 doesn’t inspect it, because\n
78
00:06:58,519 --> 00:07:02,389
so it forwards it to R1, which sends the reply.
79
00:07:02,389 --> 00:07:09,500
This message isn’t inspected by SW2 or SW1,\n
80
00:07:09,500 --> 00:07:15,339
This time PC2 sends an ARP message, but SW1\n
81
00:07:15,339 --> 00:07:17,899
because it violates the rules of DAI.
82
00:07:17,899 --> 00:07:24,258
I’ll explain exactly how DAI determines\n
83
00:07:24,259 --> 00:07:26,848
let me show you an ARP-based attack.
84
00:07:26,848 --> 00:07:33,079
So, this is the ARP poisoning attack, which\n
85
00:07:33,079 --> 00:07:39,109
Similar to DHCP poisoning, ARP poisoning involves\n
86
00:07:39,110 --> 00:07:42,189
so traffic is sent to the attacker.
87
00:07:42,189 --> 00:07:48,979
To do this, the attacker can send gratuitous\n
88
00:07:48,978 --> 00:07:54,218
Another option is to send replies to the targets’\n
89
00:07:54,218 --> 00:07:57,529
use gratuitous ARP for this demonstration.
90
00:07:57,529 --> 00:08:01,978
Other devices will receive the gratuitous\n
91
00:08:01,978 --> 00:08:06,860
to send traffic to the attacker instead of\n
92
00:08:06,860 --> 00:08:12,780
For example, the attacker PC2 sends a GARP\n
93
00:08:14,930 --> 00:08:18,329
It is flooded through the network, and all\ndevices receive it.
94
00:08:18,329 --> 00:08:26,469
So, they update their ARP tables to map PC2’s\n
95
00:08:26,470 --> 00:08:33,450
By the way, R1 doesn’t update its ARP table,\n
96
00:08:33,450 --> 00:08:40,379
Now, if PC1 wants to send this packet to an\n
97
00:08:40,379 --> 00:08:45,860
PC2 can save a copy of the message for future\n
98
00:08:47,940 --> 00:08:52,650
It’s possible that PC2 could also manipulate\n
99
00:08:52,649 --> 00:08:58,120
So, this is how ARP can be used to perform\n
100
00:08:58,120 --> 00:09:02,259
DHCP poisoning attack shown in the previous\nvideo.
101
00:09:02,259 --> 00:09:06,100
Now let’s see how DAI can protect against\nthis kind of attack.
102
00:09:06,100 --> 00:09:10,700
First, here’s a summary of how DAI works.
103
00:09:10,700 --> 00:09:16,420
DAI inspects the sender MAC and sender IP\n
104
00:09:16,419 --> 00:09:21,819
ports and checks if there is a matching entry\n
105
00:09:21,820 --> 00:09:28,170
So, I showed you in the previous video that\n
106
00:09:28,169 --> 00:09:33,969
as you can see the MAC addresses and IP addresses\n
107
00:09:33,970 --> 00:09:40,660
So, DAI checks ARP messages and if there is\n
108
00:09:40,659 --> 00:09:43,019
the ARP message is forwarded normally.
109
00:09:44,740 --> 00:09:50,100
However, if there isn’t a matching entry\n
110
00:09:52,529 --> 00:09:58,029
Note that this check only occurs on untrusted\n
111
00:10:01,779 --> 00:10:07,789
However, just like in DHCP snooping all ports\n
112
00:10:07,789 --> 00:10:10,379
specify which ports are trusted.
113
00:10:10,379 --> 00:10:16,821
So, DAI operations are usually reliant on\n
114
00:10:18,350 --> 00:10:24,451
ARP ACLs can be manually configured to map\n
115
00:10:25,779 --> 00:10:29,500
This can be useful for hosts that don’t\nuse DHCP.
116
00:10:29,500 --> 00:10:35,409
If they don’t use DHCP, they won’t have\n
117
00:10:35,409 --> 00:10:38,919
will just drop all ARP messages they try to\nsend.
118
00:10:38,919 --> 00:10:42,569
You can configure ARP ACLs for these specific\nhosts.
119
00:10:42,570 --> 00:10:46,100
Or all hosts if you want, but that’s a lot\nof manual work.
120
00:10:46,100 --> 00:10:50,190
I’ll show you how to configure ARP ACLs\nlater.
121
00:10:50,190 --> 00:10:55,830
In addition to the sender MAC and sender IP\n
122
00:10:55,830 --> 00:10:58,670
in-depth checks, but these are optional.
123
00:10:58,669 --> 00:11:01,569
I’ll briefly introduce them later.
124
00:11:01,570 --> 00:11:07,770
And like DHCP snooping, DAI also supports\n
125
00:11:09,539 --> 00:11:16,389
I didn’t mention this in the last video,\n
126
00:11:18,309 --> 00:11:23,049
So, even if the attacker’s messages are\n
127
00:11:23,049 --> 00:11:26,659
CPU by sending a ton of ARP messages.
128
00:11:26,659 --> 00:11:31,360
If the attacker tries to do that, rate limiting\n
129
00:11:34,850 --> 00:11:38,210
Now let’s move on to DAI configuration.
130
00:11:38,210 --> 00:11:42,650
First up, the basic commands to enable it\n
131
00:11:42,649 --> 00:11:50,439
First, use IP ARP INSPECTION VLAN, followed\n
132
00:11:50,440 --> 00:11:53,220
In this network I’m using VLAN 1 only.
133
00:11:53,220 --> 00:11:58,480
However, if there are multiple VLANs, you\n
134
00:11:58,480 --> 00:12:05,659
If you don’t, only ARP messages in the specified\n
135
00:12:05,659 --> 00:12:12,980
Then I configured SW2’s G0/0 and G0/1 interfaces\n
136
00:12:14,169 --> 00:12:20,759
And that’s it, those are the basic commands\n
137
00:12:20,759 --> 00:12:26,429
Then I did the same configurations on SW1,\n
138
00:12:26,429 --> 00:12:33,599
Now, you might have noticed a difference between\n
139
00:12:33,600 --> 00:12:41,360
DHCP requires two commands to enable it, IP\n
140
00:12:41,360 --> 00:12:45,210
So, enable it globally and then enable it\nper VLAN.
141
00:12:45,210 --> 00:12:50,971
DAI is different, you only have to enable\n
142
00:12:52,610 --> 00:12:56,710
Honestly I’m not sure the reason for this\n
143
00:12:56,710 --> 00:13:03,700
Okay let’s check out one of the DAI show\n
144
00:13:03,700 --> 00:13:07,950
First, you can see the trust state of each\ninterface.
145
00:13:07,950 --> 00:13:12,650
On SW1 only G0/0 is trusted, as I configured.
146
00:13:12,649 --> 00:13:16,340
This column shows us the DAI rate limiting\nsettings.
147
00:13:16,340 --> 00:13:23,070
There are a few differences between DHCP snooping\n
148
00:13:23,070 --> 00:13:27,730
DAI rate limiting is enabled on untrusted\n
149
00:13:27,730 --> 00:13:32,670
per second, but it is disabled on trusted\nports by default.
150
00:13:32,669 --> 00:13:38,079
In the case of DHCP snooping, rate limiting\n
151
00:13:40,700 --> 00:13:43,580
And this column shows us one more difference.
152
00:13:43,580 --> 00:13:47,320
DHCP snooping rate limiting is configured\nlike this.
153
00:13:49,309 --> 00:13:54,379
However DAI has a feature called the burst\n
154
00:13:54,379 --> 00:13:57,809
limiting like X packets per Y seconds.
155
00:13:57,809 --> 00:14:02,349
So, the interval being measured doesn’t\n
156
00:14:02,350 --> 00:14:06,700
flexibility with how you can control the rate\n
157
00:14:06,700 --> 00:14:12,930
Okay, since I just brought up DAI rate limiting\n
158
00:14:12,929 --> 00:14:16,879
Let’s configure DAI rate limiting on SW1.
159
00:14:16,879 --> 00:14:25,600
First, on G0/1 and 2 I used IP ARP INSPECTION\n
160
00:14:25,600 --> 00:14:29,009
then BURST INTERVAL 2, that means 2 seconds.
161
00:14:29,009 --> 00:14:36,379
So, I changed the rate from 15 packets per\n
162
00:14:36,379 --> 00:14:38,919
Note that the burst interval is optional.
163
00:14:38,919 --> 00:14:42,509
If you don’t specify it, the default is\n1 second.
164
00:14:42,509 --> 00:14:49,110
To demonstrate, on G0/3 I configured IP ARP\n
165
00:14:51,100 --> 00:14:53,420
And here you can see the results.
166
00:14:53,419 --> 00:15:00,879
For G0/1 and 2 it’s 25 packets per 2 seconds,\n
167
00:15:00,879 --> 00:15:05,549
So, that’s how DAI rate limiting is configured.
168
00:15:05,549 --> 00:15:11,909
If ARP messages are received faster than the\n
169
00:15:11,909 --> 00:15:16,969
Let me emphasize that, rate limiting limits\n
170
00:15:16,970 --> 00:15:19,950
an interface, not sent by an interface.
171
00:15:19,950 --> 00:15:26,110
Anyway, interfaces disabled by ARP inspection\n
172
00:15:26,110 --> 00:15:30,690
NO SHUTDOWN on the interface, or with err-disable\nrecovery.
173
00:15:30,690 --> 00:15:35,410
The command is ERRDISABLE RECOVERY CAUSE ARP-INSPECTION.
174
00:15:35,409 --> 00:15:40,750
I configured err-disable recovery on SW1,\n
175
00:15:42,669 --> 00:15:47,169
Okay, that’s all for DAI rate limiting.
176
00:15:47,169 --> 00:15:51,079
Now let me introduce those additional checks\nI mentioned before.
177
00:15:51,080 --> 00:15:56,020
By default, DAI checks the sender MAC and\n
178
00:15:56,019 --> 00:15:59,850
entry in the DHCP snooping binding table or\nnot.
179
00:15:59,850 --> 00:16:05,370
However, additional checks can be performed\n
180
00:16:06,440 --> 00:16:11,360
The three options are destination MAC, IP,\nand source MAC.
181
00:16:12,899 --> 00:16:18,509
I think Cisco’s explanations are quite straightforward\n
182
00:16:20,730 --> 00:16:25,080
Destination MAC validates ARP responses by\n
183
00:16:25,080 --> 00:16:29,670
Ethernet header against the target MAC address\n
184
00:16:29,669 --> 00:16:32,069
If they are different, the frame is dropped.
185
00:16:32,070 --> 00:16:37,860
IP validation looks for invalid or unexpected\n
186
00:16:37,860 --> 00:16:47,419
ARP messages, such as 0.0.0.0, 255.255.255.255,\n
187
00:16:47,419 --> 00:16:52,659
These IP addresses shouldn’t belong to a\n
188
00:16:52,659 --> 00:16:57,719
The sender IP address is checked in both ARP\n
189
00:16:57,720 --> 00:17:01,120
IP address is checked only in ARP replies.
190
00:17:01,120 --> 00:17:06,740
Finally, source MAC validation checks the\n
191
00:17:06,740 --> 00:17:09,548
it to the sender MAC in the ARP message.
192
00:17:09,548 --> 00:17:14,349
If they don’t match, the message is considered\n
193
00:17:14,349 --> 00:17:19,198
To clarify those, here is that ARP reply message\n
194
00:17:19,199 --> 00:17:23,298
These validation checks look at the source\n
195
00:17:23,298 --> 00:17:27,859
header, and also at these fields in the ARP\nmessage itself.
196
00:17:27,859 --> 00:17:32,639
In this case, the source and destination in\n
197
00:17:32,640 --> 00:17:37,610
MAC addresses in the ARP message, so the message\n
198
00:17:39,759 --> 00:17:44,378
The sender and target IP addresses in the\n
199
00:17:46,589 --> 00:17:50,829
Note that these checks are done in addition\n
200
00:17:50,829 --> 00:17:56,439
the sender MAC and IP addresses and compares\n
201
00:17:56,440 --> 00:18:01,259
So, if these checks are configured an ARP\n
202
00:18:03,089 --> 00:18:08,058
There’s an important point to mention about\n
203
00:18:08,058 --> 00:18:16,309
I configured, in order, IP ARP INSPECTION\n
204
00:18:16,309 --> 00:18:19,559
checked with SHOW RUN | INCLUDE VALIDATE.
205
00:18:19,559 --> 00:18:22,839
So, what do you think was displayed?
206
00:18:22,839 --> 00:18:26,319
Only VALIDATE SRC-MAC was displayed.
207
00:18:26,319 --> 00:18:32,288
First I configured VALIDATE DST-MAC, but when\n
208
00:18:34,288 --> 00:18:38,589
Then when I configured VALIDATE SRC-MAC, it\noverwrote IP.
209
00:18:38,589 --> 00:18:43,329
So, if you want to enable all three checks,\n
210
00:18:43,329 --> 00:18:47,928
IP ARP INSPECTION VALIDATE IP SRC-MAC DST-MAC.
211
00:18:47,929 --> 00:18:52,679
I checked again, and now you can see all three.
212
00:18:52,679 --> 00:18:58,059
To summarize, you must enter all of the validation\n
213
00:18:58,058 --> 00:19:03,490
You can specify one, two, or all three, and\n
214
00:19:04,490 --> 00:19:08,500
Okay, those are the optional validation checks\n
215
00:19:08,500 --> 00:19:11,909
Now there is one more topic I want to cover,\nARP ACLs.
216
00:19:11,909 --> 00:19:17,820
Now, I’m pretty sure the topic of ARP ACLs\n
217
00:19:19,319 --> 00:19:25,079
So, I will just give a quick example of how\n
218
00:19:25,079 --> 00:19:27,689
I won’t go into the details here.
219
00:19:27,690 --> 00:19:31,278
Here is SW2’s DHCP snooping binding table.
220
00:19:31,278 --> 00:19:39,789
SRV1 has a static IP address, 192.168.1.100,\n
221
00:19:41,119 --> 00:19:46,058
So, what will happen when SRV1 tries to send\nan ARP request?
222
00:19:46,058 --> 00:19:49,129
It will be dropped, with an error message\nlike this.
223
00:19:49,130 --> 00:19:53,820
It says 1 invalid ARP request on G0/2 in VLAN1.
224
00:19:53,819 --> 00:19:59,849
That’s because SRV1 doesn’t have an entry\n
225
00:19:59,849 --> 00:20:04,808
So, to fix this let’s configure an ARP ACL\nto permit SRV1.
226
00:20:07,700 --> 00:20:13,048
ARP ACCESS-LIST, followed by a name, to create\nthe ARP ACL.
227
00:20:13,048 --> 00:20:22,200
Then I configured PERMIT IP HOST 192.168.1.100\n
228
00:20:22,200 --> 00:20:29,058
But, creating the ARP ACL alone doesn’t\n
229
00:20:29,058 --> 00:20:37,000
The command is IP ARP INSPECTION FILTER, the\n
230
00:20:37,000 --> 00:20:41,259
Okay, we created the ARP ACL and then applied\nit.
231
00:20:41,259 --> 00:20:47,029
This time when SRV1 tries to send an ARP request,\n
232
00:20:47,029 --> 00:20:49,509
in the DHCP snooping binding table.
233
00:20:49,509 --> 00:20:53,298
That’s because of the ARP ACL we configured.
234
00:20:53,298 --> 00:20:59,308
Here’s one last show command before we finish,\n
235
00:20:59,308 --> 00:21:04,500
It gives a summary of the DAI configuration\n
236
00:21:04,500 --> 00:21:07,190
have been forwarded and dropped.
237
00:21:07,190 --> 00:21:10,950
Let me just point out a few fields, you don’t\n
238
00:21:10,950 --> 00:21:17,679
First, notice that source MAC, destination\n
239
00:21:17,679 --> 00:21:23,230
I enabled them on SW1 before, but I enabled\nthem on SW2 also.
240
00:21:23,230 --> 00:21:30,089
Here we can see that DAI is configured and\n
241
00:21:31,569 --> 00:21:37,230
Now, this is a detail beyond the scope of\n
242
00:21:38,730 --> 00:21:46,149
If static ACL is set to yes, the implicit\n
243
00:21:46,148 --> 00:21:51,829
Like regular IP ACLs, ARP ACLs also have an\nimplicit deny.
244
00:21:51,829 --> 00:21:55,849
But if you don’t enable the static setting,\n
245
00:21:55,849 --> 00:22:02,349
I didn’t configure it as a static ACL, so\n
246
00:22:02,349 --> 00:22:05,699
But what will happen if the implicit deny\ntakes effect?
247
00:22:05,700 --> 00:22:10,870
It will cause all ARP messages not permitted\n
248
00:22:10,869 --> 00:22:15,469
So, in effect this means that only the ARP\nACL will be checked.
249
00:22:15,470 --> 00:22:19,538
The DHCP snooping table will not be checked.
250
00:22:19,538 --> 00:22:24,480
Usually we leave this setting as No, and as\n
251
00:22:24,480 --> 00:22:28,429
beyond the scope of the CCNA, so let’s keep\ngoing.
252
00:22:28,429 --> 00:22:32,710
Here you can see some statistics about how\n
253
00:22:34,109 --> 00:22:39,508
Notice 4 messages have been dropped, and all\n4 are DHCP drops.
254
00:22:39,509 --> 00:22:43,691
That means messages dropped because there\n
255
00:22:44,691 --> 00:22:50,139
That’s because I tried to ping from SRV1\n
256
00:22:50,138 --> 00:22:54,250
However, here you can see 1 ACL permit.
257
00:22:54,250 --> 00:23:00,130
This is when SW2 permitted SRV1’s ARP message\n
258
00:23:00,130 --> 00:23:06,169
SRV1’s ARP request message was permitted\nand counted here.
259
00:23:06,169 --> 00:23:09,759
Here is a summary of the new commands we looked\n
260
00:23:09,759 --> 00:23:15,190
As always, go back in the video to review\n
261
00:23:15,190 --> 00:23:19,429
Also make sure to practice these commands\n
262
00:23:21,329 --> 00:23:26,730
Hands-on practice is an essential part of\nstudying for the CCNA.
263
00:23:26,730 --> 00:23:30,329
Before moving on to the quiz, here’s a quick\n
264
00:23:30,329 --> 00:23:33,099
I introduced what Dynamic ARP Inspection is.
265
00:23:33,099 --> 00:23:39,029
It’s a switch security feature similar to\n
266
00:23:39,029 --> 00:23:41,230
then decides to forward or drop the message.
267
00:23:41,230 --> 00:23:47,240
I introduced how it works and what attacks\n
268
00:23:47,240 --> 00:23:50,440
can be used to perform a man-in-the-middle\nattack.
269
00:23:50,440 --> 00:23:56,558
I also showed you how to configure DAI, while\n
270
00:23:56,558 --> 00:24:01,808
Honestly, in this video I probably gave you\n
271
00:24:01,808 --> 00:24:07,490
know for the CCNA, but I’d rather give you\n
272
00:24:07,490 --> 00:24:11,649
Make sure to watch until the end of the quiz\n
273
00:24:11,648 --> 00:24:16,418
ExSim for CCNA, my recommended practice exams\nfor the CCNA.
274
00:24:16,419 --> 00:24:21,120
Okay, let’s go to quiz question 1.
275
00:24:21,119 --> 00:24:25,829
You issue the IP ARP INSPECTION VLAN 1 command\non SW1.
276
00:24:25,829 --> 00:24:30,710
Which of the following statements is true\n
277
00:24:30,710 --> 00:24:37,298
Pause the video now to select the correct\nanswer.
278
00:24:37,298 --> 00:24:42,538
The answer is A, all interfaces in VLAN 1\nare untrusted.
279
00:24:42,538 --> 00:24:48,589
Just like in DHCP snooping, when DAI is first\n
280
00:24:49,890 --> 00:24:54,120
So, to trust specific ports you’ll have\n
281
00:24:54,119 --> 00:24:58,278
Okay, let’s go to question 2.
282
00:24:58,278 --> 00:25:01,308
The following commands are configured on SW1.
283
00:25:01,308 --> 00:25:05,558
Which of the following statements is true\n
284
00:25:05,558 --> 00:25:09,759
Pause the video now to select the best answer.
285
00:25:09,759 --> 00:25:18,329
Okay, the answer is C, DAI validation is only\n
286
00:25:18,329 --> 00:25:23,428
When configuring these optional DAI validation\n
287
00:25:23,429 --> 00:25:26,009
configure them all in a single command.
288
00:25:26,009 --> 00:25:29,298
Otherwise, only the last command entered will\ntake effect.
289
00:25:29,298 --> 00:25:34,618
Okay, let’s go to question 3.
290
00:25:34,618 --> 00:25:37,709
Which of the following are true about DAI\nrate limiting?
291
00:25:39,128 --> 00:25:44,459
Okay, pause the video now to select the two\ncorrect answers.
292
00:25:44,460 --> 00:25:52,700
Okay, the answers are B, it is enabled on\n
293
00:25:52,700 --> 00:25:56,538
at a rate of 15 packets per second by default.
294
00:25:56,538 --> 00:26:02,990
Unlike DHCP snooping rate limiting, for DAI\n
295
00:26:02,990 --> 00:26:07,298
per second on all untrusted ports by default.
296
00:26:07,298 --> 00:26:13,038
Another difference between DHCP snooping and\n
297
00:26:13,038 --> 00:26:19,788
burst interval, so the rate limit can be calculated\n
298
00:26:19,788 --> 00:26:24,908
DHCP snooping only allows you to configure\n
299
00:26:24,909 --> 00:26:28,769
Okay, let’s go to question 4.
300
00:26:28,769 --> 00:26:34,849
DAI inspects the sender IP and MAC addresses\n
301
00:26:37,159 --> 00:26:40,649
Which of the following does it check the sender\n
302
00:26:42,368 --> 00:26:46,609
Pause the video now to select the two correct\nanswers.
303
00:26:46,609 --> 00:26:55,219
Okay, the answers are B, DHCP snooping binding\n
304
00:26:55,220 --> 00:27:01,079
When DHCP snooping is enabled, the DHCP snooping\n
305
00:27:01,079 --> 00:27:04,509
lease IP addresses from DHCP servers.
306
00:27:04,509 --> 00:27:08,610
So, DAI uses that table to check ARP messages.
307
00:27:08,609 --> 00:27:14,189
However, for hosts that don’t use DHCP,\n
308
00:27:19,819 --> 00:27:25,128
Which of the following commands limit ARP\n
309
00:27:26,788 --> 00:27:30,819
Pause the video now to select the correct\nanswers.
310
00:27:30,819 --> 00:27:39,950
Okay, the answers are A, IP ARP INSPECTION\n
311
00:27:43,888 --> 00:27:49,528
Both of them will limit ARP messages received\n
312
00:27:49,528 --> 00:27:56,470
However, 45 packets over three seconds allows\n
313
00:27:56,470 --> 00:28:02,220
30 packets in 1 second, 10 packets the next\n
314
00:28:03,319 --> 00:28:08,918
However the 15 packets over 1 second setting\n
315
00:28:08,919 --> 00:28:11,100
the rate never goes over 15.
316
00:28:11,099 --> 00:28:13,988
Okay, that’s all for the quiz.
317
00:28:13,989 --> 00:28:22,819
Now let’s take a look at a bonus question\n
26132
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.