Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:04,480 --> 00:00:07,880 This is a free, complete course for the CCNA. 2 00:00:07,879 --> 00:00:11,789 If you like these videos, please subscribe\n 3 00:00:11,789 --> 00:00:16,649 Also, please like and leave a comment, and\n 4 00:00:19,530 --> 00:00:23,270 In this video we’ll cover Dynamic ARP Inspection. 5 00:00:23,269 --> 00:00:29,179 Dynamic ARP Inspection, also called DAI, is\n 6 00:00:29,179 --> 00:00:35,689 must be able to configure Layer 2 security\n 7 00:00:36,719 --> 00:00:42,119 We covered DHCP snooping and port security\n 8 00:00:45,460 --> 00:00:49,980 Dynamic ARP inspection is a security feature\n 9 00:00:49,979 --> 00:00:54,659 a similar manner to how DHCP snooping inspects\nDHCP messages. 10 00:00:54,659 --> 00:00:59,409 So, this video will follow a similar structure\n 11 00:00:59,409 --> 00:01:02,349 Here’s what we’ll cover in this video. 12 00:01:02,350 --> 00:01:05,530 First, what is dynamic ARP inspection? 13 00:01:05,530 --> 00:01:09,170 I’ll give a brief overview, and then introduce\nhow it works. 14 00:01:09,170 --> 00:01:14,579 I’ll show you what attacks it can be used\n 15 00:01:14,578 --> 00:01:18,218 we look into more details of its operations. 16 00:01:18,218 --> 00:01:22,438 Watch until the end of the video for a bonus\n 17 00:01:22,438 --> 00:01:28,699 ExSim for CCNA, my recommended practice exams\nfor the CCNA. 18 00:01:28,700 --> 00:01:32,879 Before dynamic ARP inspection, let’s quickly\nreview ARP itself. 19 00:01:32,879 --> 00:01:38,358 ARP is used to learn the MAC address of another\n 20 00:01:38,358 --> 00:01:43,658 For example, a PC will use ARP to learn the\n 21 00:01:45,688 --> 00:01:50,098 It will also use ARP to learn the MAC address\n 22 00:01:50,099 --> 00:01:56,659 Typically it’s a two message exchange, consisting\n 23 00:01:58,959 --> 00:02:06,228 For example, PC1 wants to send a DNS query\n 24 00:02:06,228 --> 00:02:11,060 It thinks, 8.8.8.8 is outside of my local\n 25 00:02:13,280 --> 00:02:21,239 However, PC1 doesn’t know the MAC address\n 26 00:02:21,239 --> 00:02:27,640 So, it will broadcast this ARP request message,\n 27 00:02:27,639 --> 00:02:32,768 Every device in the LAN will receive the message,\n 28 00:02:32,769 --> 00:02:35,530 broadcast MAC address of all Fs. 29 00:02:35,530 --> 00:02:39,609 Let’s look at that ARP request in wireshark. 30 00:02:39,609 --> 00:02:45,010 The ARP message is encapsulated in an Ethernet\n 31 00:02:45,009 --> 00:02:50,179 So, in the previous slide when I wrote ‘source\n 32 00:02:50,180 --> 00:02:55,680 message, I’m actually referring to these\n 33 00:02:55,680 --> 00:03:00,629 Specifically the sender IP address, which\n 34 00:03:00,628 --> 00:03:04,818 address, which is the destination IP address. 35 00:03:04,818 --> 00:03:09,539 ARP messages are only broadcast within the\n 36 00:03:09,539 --> 00:03:14,229 networks, so there’s no need to encapsulate\n 37 00:03:14,229 --> 00:03:20,858 Keep these fields in mind, sender MAC and\n 38 00:03:20,859 --> 00:03:25,600 they can play a role in the dynamic ARP inspection\nprocess. 39 00:03:25,599 --> 00:03:31,318 Because its IP address was in the ARP message’s\n 40 00:03:31,318 --> 00:03:38,119 an ARP reply to PC1 so that PC1 can learn\n 41 00:03:40,098 --> 00:03:46,259 Note that R1 also added an entry for PC1 in\n 42 00:03:46,259 --> 00:03:51,739 ARP request from PC1, so R1 doesn’t need\n 43 00:03:53,479 --> 00:03:57,340 Here’s that ARP reply in Wireshark. 44 00:03:57,340 --> 00:04:03,188 The sender IP and MAC fields are R1’s addresses,\n 45 00:04:05,299 --> 00:04:07,890 Pause the video if you want to check out the\nmessage. 46 00:04:07,889 --> 00:04:15,888 So, PC1 is now able to insert R1’s MAC address\n 47 00:04:15,889 --> 00:04:19,720 then send the message to R1 which will forward\n 48 00:04:19,720 --> 00:04:24,020 So, that’s the basic ARP process. 49 00:04:24,019 --> 00:04:28,180 But there is also something called gratuitous\n 50 00:04:29,180 --> 00:04:36,269 A gratuitous ARP message is an ARP reply that\n 51 00:04:36,269 --> 00:04:39,959 It is sent to the broadcast MAC address, all\nFs. 52 00:04:39,959 --> 00:04:42,870 Note that standard ARP replies are not broadcast. 53 00:04:42,870 --> 00:04:48,750 They are unicast messages sent to the device\n 54 00:04:48,750 --> 00:04:52,930 Gratuitous ARP allows other devices on the\n 55 00:04:52,930 --> 00:04:58,728 the device that sent the gratuitous ARP, and\n 56 00:04:58,728 --> 00:05:04,019 This depends on the device maker, but some\n 57 00:05:04,019 --> 00:05:10,389 messages when an interface is enabled, IP\n 58 00:05:11,389 --> 00:05:16,639 So, for example if PC2’s network interface\n 59 00:05:16,639 --> 00:05:20,490 reply, and it is flooded in the local network. 60 00:05:20,490 --> 00:05:25,370 Now the other devices will add an ARP entry\n 61 00:05:25,370 --> 00:05:28,810 also add entries for PC2 in their MAC address\ntables. 62 00:05:28,810 --> 00:05:34,180 We’ll come back to the concept of gratuitous\n 63 00:05:35,839 --> 00:05:39,250 Okay, let’s move on to Dynamic ARP Inspection. 64 00:05:39,250 --> 00:05:44,310 DAI is a feature of switches that is used\n 65 00:05:47,649 --> 00:05:50,609 All other messages will be unaffected. 66 00:05:50,610 --> 00:05:54,870 Just like DHCP snooping, all ports are untrusted\nby default. 67 00:05:54,870 --> 00:06:00,689 Typically, all ports connected to other network\n 68 00:06:00,689 --> 00:06:06,228 should be configured as trusted, while interfaces\n 69 00:06:06,228 --> 00:06:11,969 So, in this network that means we should configure\n 70 00:06:13,839 --> 00:06:19,948 Now, SW2’s interface connected to SW1 could\n 71 00:06:19,949 --> 00:06:22,430 downlink leading toward the end hosts. 72 00:06:24,189 --> 00:06:29,269 In Cisco’s documentation they recommend\n 73 00:06:29,269 --> 00:06:34,779 routers, etc. are configured as trusted, so\n 74 00:06:34,779 --> 00:06:41,079 Here’s how DAI works, and you’ll see it’s\n 75 00:06:43,788 --> 00:06:49,039 Because it arrives on an untrusted port, SW1\n 76 00:06:49,040 --> 00:06:53,500 It determines the message is OK, so it forwards\nit to SW2. 77 00:06:53,500 --> 00:06:58,519 In this case SW2 doesn’t inspect it, because\n 78 00:06:58,519 --> 00:07:02,389 so it forwards it to R1, which sends the reply. 79 00:07:02,389 --> 00:07:09,500 This message isn’t inspected by SW2 or SW1,\n 80 00:07:09,500 --> 00:07:15,339 This time PC2 sends an ARP message, but SW1\n 81 00:07:15,339 --> 00:07:17,899 because it violates the rules of DAI. 82 00:07:17,899 --> 00:07:24,258 I’ll explain exactly how DAI determines\n 83 00:07:24,259 --> 00:07:26,848 let me show you an ARP-based attack. 84 00:07:26,848 --> 00:07:33,079 So, this is the ARP poisoning attack, which\n 85 00:07:33,079 --> 00:07:39,109 Similar to DHCP poisoning, ARP poisoning involves\n 86 00:07:39,110 --> 00:07:42,189 so traffic is sent to the attacker. 87 00:07:42,189 --> 00:07:48,979 To do this, the attacker can send gratuitous\n 88 00:07:48,978 --> 00:07:54,218 Another option is to send replies to the targets’\n 89 00:07:54,218 --> 00:07:57,529 use gratuitous ARP for this demonstration. 90 00:07:57,529 --> 00:08:01,978 Other devices will receive the gratuitous\n 91 00:08:01,978 --> 00:08:06,860 to send traffic to the attacker instead of\n 92 00:08:06,860 --> 00:08:12,780 For example, the attacker PC2 sends a GARP\n 93 00:08:14,930 --> 00:08:18,329 It is flooded through the network, and all\ndevices receive it. 94 00:08:18,329 --> 00:08:26,469 So, they update their ARP tables to map PC2’s\n 95 00:08:26,470 --> 00:08:33,450 By the way, R1 doesn’t update its ARP table,\n 96 00:08:33,450 --> 00:08:40,379 Now, if PC1 wants to send this packet to an\n 97 00:08:40,379 --> 00:08:45,860 PC2 can save a copy of the message for future\n 98 00:08:47,940 --> 00:08:52,650 It’s possible that PC2 could also manipulate\n 99 00:08:52,649 --> 00:08:58,120 So, this is how ARP can be used to perform\n 100 00:08:58,120 --> 00:09:02,259 DHCP poisoning attack shown in the previous\nvideo. 101 00:09:02,259 --> 00:09:06,100 Now let’s see how DAI can protect against\nthis kind of attack. 102 00:09:06,100 --> 00:09:10,700 First, here’s a summary of how DAI works. 103 00:09:10,700 --> 00:09:16,420 DAI inspects the sender MAC and sender IP\n 104 00:09:16,419 --> 00:09:21,819 ports and checks if there is a matching entry\n 105 00:09:21,820 --> 00:09:28,170 So, I showed you in the previous video that\n 106 00:09:28,169 --> 00:09:33,969 as you can see the MAC addresses and IP addresses\n 107 00:09:33,970 --> 00:09:40,660 So, DAI checks ARP messages and if there is\n 108 00:09:40,659 --> 00:09:43,019 the ARP message is forwarded normally. 109 00:09:44,740 --> 00:09:50,100 However, if there isn’t a matching entry\n 110 00:09:52,529 --> 00:09:58,029 Note that this check only occurs on untrusted\n 111 00:10:01,779 --> 00:10:07,789 However, just like in DHCP snooping all ports\n 112 00:10:07,789 --> 00:10:10,379 specify which ports are trusted. 113 00:10:10,379 --> 00:10:16,821 So, DAI operations are usually reliant on\n 114 00:10:18,350 --> 00:10:24,451 ARP ACLs can be manually configured to map\n 115 00:10:25,779 --> 00:10:29,500 This can be useful for hosts that don’t\nuse DHCP. 116 00:10:29,500 --> 00:10:35,409 If they don’t use DHCP, they won’t have\n 117 00:10:35,409 --> 00:10:38,919 will just drop all ARP messages they try to\nsend. 118 00:10:38,919 --> 00:10:42,569 You can configure ARP ACLs for these specific\nhosts. 119 00:10:42,570 --> 00:10:46,100 Or all hosts if you want, but that’s a lot\nof manual work. 120 00:10:46,100 --> 00:10:50,190 I’ll show you how to configure ARP ACLs\nlater. 121 00:10:50,190 --> 00:10:55,830 In addition to the sender MAC and sender IP\n 122 00:10:55,830 --> 00:10:58,670 in-depth checks, but these are optional. 123 00:10:58,669 --> 00:11:01,569 I’ll briefly introduce them later. 124 00:11:01,570 --> 00:11:07,770 And like DHCP snooping, DAI also supports\n 125 00:11:09,539 --> 00:11:16,389 I didn’t mention this in the last video,\n 126 00:11:18,309 --> 00:11:23,049 So, even if the attacker’s messages are\n 127 00:11:23,049 --> 00:11:26,659 CPU by sending a ton of ARP messages. 128 00:11:26,659 --> 00:11:31,360 If the attacker tries to do that, rate limiting\n 129 00:11:34,850 --> 00:11:38,210 Now let’s move on to DAI configuration. 130 00:11:38,210 --> 00:11:42,650 First up, the basic commands to enable it\n 131 00:11:42,649 --> 00:11:50,439 First, use IP ARP INSPECTION VLAN, followed\n 132 00:11:50,440 --> 00:11:53,220 In this network I’m using VLAN 1 only. 133 00:11:53,220 --> 00:11:58,480 However, if there are multiple VLANs, you\n 134 00:11:58,480 --> 00:12:05,659 If you don’t, only ARP messages in the specified\n 135 00:12:05,659 --> 00:12:12,980 Then I configured SW2’s G0/0 and G0/1 interfaces\n 136 00:12:14,169 --> 00:12:20,759 And that’s it, those are the basic commands\n 137 00:12:20,759 --> 00:12:26,429 Then I did the same configurations on SW1,\n 138 00:12:26,429 --> 00:12:33,599 Now, you might have noticed a difference between\n 139 00:12:33,600 --> 00:12:41,360 DHCP requires two commands to enable it, IP\n 140 00:12:41,360 --> 00:12:45,210 So, enable it globally and then enable it\nper VLAN. 141 00:12:45,210 --> 00:12:50,971 DAI is different, you only have to enable\n 142 00:12:52,610 --> 00:12:56,710 Honestly I’m not sure the reason for this\n 143 00:12:56,710 --> 00:13:03,700 Okay let’s check out one of the DAI show\n 144 00:13:03,700 --> 00:13:07,950 First, you can see the trust state of each\ninterface. 145 00:13:07,950 --> 00:13:12,650 On SW1 only G0/0 is trusted, as I configured. 146 00:13:12,649 --> 00:13:16,340 This column shows us the DAI rate limiting\nsettings. 147 00:13:16,340 --> 00:13:23,070 There are a few differences between DHCP snooping\n 148 00:13:23,070 --> 00:13:27,730 DAI rate limiting is enabled on untrusted\n 149 00:13:27,730 --> 00:13:32,670 per second, but it is disabled on trusted\nports by default. 150 00:13:32,669 --> 00:13:38,079 In the case of DHCP snooping, rate limiting\n 151 00:13:40,700 --> 00:13:43,580 And this column shows us one more difference. 152 00:13:43,580 --> 00:13:47,320 DHCP snooping rate limiting is configured\nlike this. 153 00:13:49,309 --> 00:13:54,379 However DAI has a feature called the burst\n 154 00:13:54,379 --> 00:13:57,809 limiting like X packets per Y seconds. 155 00:13:57,809 --> 00:14:02,349 So, the interval being measured doesn’t\n 156 00:14:02,350 --> 00:14:06,700 flexibility with how you can control the rate\n 157 00:14:06,700 --> 00:14:12,930 Okay, since I just brought up DAI rate limiting\n 158 00:14:12,929 --> 00:14:16,879 Let’s configure DAI rate limiting on SW1. 159 00:14:16,879 --> 00:14:25,600 First, on G0/1 and 2 I used IP ARP INSPECTION\n 160 00:14:25,600 --> 00:14:29,009 then BURST INTERVAL 2, that means 2 seconds. 161 00:14:29,009 --> 00:14:36,379 So, I changed the rate from 15 packets per\n 162 00:14:36,379 --> 00:14:38,919 Note that the burst interval is optional. 163 00:14:38,919 --> 00:14:42,509 If you don’t specify it, the default is\n1 second. 164 00:14:42,509 --> 00:14:49,110 To demonstrate, on G0/3 I configured IP ARP\n 165 00:14:51,100 --> 00:14:53,420 And here you can see the results. 166 00:14:53,419 --> 00:15:00,879 For G0/1 and 2 it’s 25 packets per 2 seconds,\n 167 00:15:00,879 --> 00:15:05,549 So, that’s how DAI rate limiting is configured. 168 00:15:05,549 --> 00:15:11,909 If ARP messages are received faster than the\n 169 00:15:11,909 --> 00:15:16,969 Let me emphasize that, rate limiting limits\n 170 00:15:16,970 --> 00:15:19,950 an interface, not sent by an interface. 171 00:15:19,950 --> 00:15:26,110 Anyway, interfaces disabled by ARP inspection\n 172 00:15:26,110 --> 00:15:30,690 NO SHUTDOWN on the interface, or with err-disable\nrecovery. 173 00:15:30,690 --> 00:15:35,410 The command is ERRDISABLE RECOVERY CAUSE ARP-INSPECTION. 174 00:15:35,409 --> 00:15:40,750 I configured err-disable recovery on SW1,\n 175 00:15:42,669 --> 00:15:47,169 Okay, that’s all for DAI rate limiting. 176 00:15:47,169 --> 00:15:51,079 Now let me introduce those additional checks\nI mentioned before. 177 00:15:51,080 --> 00:15:56,020 By default, DAI checks the sender MAC and\n 178 00:15:56,019 --> 00:15:59,850 entry in the DHCP snooping binding table or\nnot. 179 00:15:59,850 --> 00:16:05,370 However, additional checks can be performed\n 180 00:16:06,440 --> 00:16:11,360 The three options are destination MAC, IP,\nand source MAC. 181 00:16:12,899 --> 00:16:18,509 I think Cisco’s explanations are quite straightforward\n 182 00:16:20,730 --> 00:16:25,080 Destination MAC validates ARP responses by\n 183 00:16:25,080 --> 00:16:29,670 Ethernet header against the target MAC address\n 184 00:16:29,669 --> 00:16:32,069 If they are different, the frame is dropped. 185 00:16:32,070 --> 00:16:37,860 IP validation looks for invalid or unexpected\n 186 00:16:37,860 --> 00:16:47,419 ARP messages, such as 0.0.0.0, 255.255.255.255,\n 187 00:16:47,419 --> 00:16:52,659 These IP addresses shouldn’t belong to a\n 188 00:16:52,659 --> 00:16:57,719 The sender IP address is checked in both ARP\n 189 00:16:57,720 --> 00:17:01,120 IP address is checked only in ARP replies. 190 00:17:01,120 --> 00:17:06,740 Finally, source MAC validation checks the\n 191 00:17:06,740 --> 00:17:09,548 it to the sender MAC in the ARP message. 192 00:17:09,548 --> 00:17:14,349 If they don’t match, the message is considered\n 193 00:17:14,349 --> 00:17:19,198 To clarify those, here is that ARP reply message\n 194 00:17:19,199 --> 00:17:23,298 These validation checks look at the source\n 195 00:17:23,298 --> 00:17:27,859 header, and also at these fields in the ARP\nmessage itself. 196 00:17:27,859 --> 00:17:32,639 In this case, the source and destination in\n 197 00:17:32,640 --> 00:17:37,610 MAC addresses in the ARP message, so the message\n 198 00:17:39,759 --> 00:17:44,378 The sender and target IP addresses in the\n 199 00:17:46,589 --> 00:17:50,829 Note that these checks are done in addition\n 200 00:17:50,829 --> 00:17:56,439 the sender MAC and IP addresses and compares\n 201 00:17:56,440 --> 00:18:01,259 So, if these checks are configured an ARP\n 202 00:18:03,089 --> 00:18:08,058 There’s an important point to mention about\n 203 00:18:08,058 --> 00:18:16,309 I configured, in order, IP ARP INSPECTION\n 204 00:18:16,309 --> 00:18:19,559 checked with SHOW RUN | INCLUDE VALIDATE. 205 00:18:19,559 --> 00:18:22,839 So, what do you think was displayed? 206 00:18:22,839 --> 00:18:26,319 Only VALIDATE SRC-MAC was displayed. 207 00:18:26,319 --> 00:18:32,288 First I configured VALIDATE DST-MAC, but when\n 208 00:18:34,288 --> 00:18:38,589 Then when I configured VALIDATE SRC-MAC, it\noverwrote IP. 209 00:18:38,589 --> 00:18:43,329 So, if you want to enable all three checks,\n 210 00:18:43,329 --> 00:18:47,928 IP ARP INSPECTION VALIDATE IP SRC-MAC DST-MAC. 211 00:18:47,929 --> 00:18:52,679 I checked again, and now you can see all three. 212 00:18:52,679 --> 00:18:58,059 To summarize, you must enter all of the validation\n 213 00:18:58,058 --> 00:19:03,490 You can specify one, two, or all three, and\n 214 00:19:04,490 --> 00:19:08,500 Okay, those are the optional validation checks\n 215 00:19:08,500 --> 00:19:11,909 Now there is one more topic I want to cover,\nARP ACLs. 216 00:19:11,909 --> 00:19:17,820 Now, I’m pretty sure the topic of ARP ACLs\n 217 00:19:19,319 --> 00:19:25,079 So, I will just give a quick example of how\n 218 00:19:25,079 --> 00:19:27,689 I won’t go into the details here. 219 00:19:27,690 --> 00:19:31,278 Here is SW2’s DHCP snooping binding table. 220 00:19:31,278 --> 00:19:39,789 SRV1 has a static IP address, 192.168.1.100,\n 221 00:19:41,119 --> 00:19:46,058 So, what will happen when SRV1 tries to send\nan ARP request? 222 00:19:46,058 --> 00:19:49,129 It will be dropped, with an error message\nlike this. 223 00:19:49,130 --> 00:19:53,820 It says 1 invalid ARP request on G0/2 in VLAN1. 224 00:19:53,819 --> 00:19:59,849 That’s because SRV1 doesn’t have an entry\n 225 00:19:59,849 --> 00:20:04,808 So, to fix this let’s configure an ARP ACL\nto permit SRV1. 226 00:20:07,700 --> 00:20:13,048 ARP ACCESS-LIST, followed by a name, to create\nthe ARP ACL. 227 00:20:13,048 --> 00:20:22,200 Then I configured PERMIT IP HOST 192.168.1.100\n 228 00:20:22,200 --> 00:20:29,058 But, creating the ARP ACL alone doesn’t\n 229 00:20:29,058 --> 00:20:37,000 The command is IP ARP INSPECTION FILTER, the\n 230 00:20:37,000 --> 00:20:41,259 Okay, we created the ARP ACL and then applied\nit. 231 00:20:41,259 --> 00:20:47,029 This time when SRV1 tries to send an ARP request,\n 232 00:20:47,029 --> 00:20:49,509 in the DHCP snooping binding table. 233 00:20:49,509 --> 00:20:53,298 That’s because of the ARP ACL we configured. 234 00:20:53,298 --> 00:20:59,308 Here’s one last show command before we finish,\n 235 00:20:59,308 --> 00:21:04,500 It gives a summary of the DAI configuration\n 236 00:21:04,500 --> 00:21:07,190 have been forwarded and dropped. 237 00:21:07,190 --> 00:21:10,950 Let me just point out a few fields, you don’t\n 238 00:21:10,950 --> 00:21:17,679 First, notice that source MAC, destination\n 239 00:21:17,679 --> 00:21:23,230 I enabled them on SW1 before, but I enabled\nthem on SW2 also. 240 00:21:23,230 --> 00:21:30,089 Here we can see that DAI is configured and\n 241 00:21:31,569 --> 00:21:37,230 Now, this is a detail beyond the scope of\n 242 00:21:38,730 --> 00:21:46,149 If static ACL is set to yes, the implicit\n 243 00:21:46,148 --> 00:21:51,829 Like regular IP ACLs, ARP ACLs also have an\nimplicit deny. 244 00:21:51,829 --> 00:21:55,849 But if you don’t enable the static setting,\n 245 00:21:55,849 --> 00:22:02,349 I didn’t configure it as a static ACL, so\n 246 00:22:02,349 --> 00:22:05,699 But what will happen if the implicit deny\ntakes effect? 247 00:22:05,700 --> 00:22:10,870 It will cause all ARP messages not permitted\n 248 00:22:10,869 --> 00:22:15,469 So, in effect this means that only the ARP\nACL will be checked. 249 00:22:15,470 --> 00:22:19,538 The DHCP snooping table will not be checked. 250 00:22:19,538 --> 00:22:24,480 Usually we leave this setting as No, and as\n 251 00:22:24,480 --> 00:22:28,429 beyond the scope of the CCNA, so let’s keep\ngoing. 252 00:22:28,429 --> 00:22:32,710 Here you can see some statistics about how\n 253 00:22:34,109 --> 00:22:39,508 Notice 4 messages have been dropped, and all\n4 are DHCP drops. 254 00:22:39,509 --> 00:22:43,691 That means messages dropped because there\n 255 00:22:44,691 --> 00:22:50,139 That’s because I tried to ping from SRV1\n 256 00:22:50,138 --> 00:22:54,250 However, here you can see 1 ACL permit. 257 00:22:54,250 --> 00:23:00,130 This is when SW2 permitted SRV1’s ARP message\n 258 00:23:00,130 --> 00:23:06,169 SRV1’s ARP request message was permitted\nand counted here. 259 00:23:06,169 --> 00:23:09,759 Here is a summary of the new commands we looked\n 260 00:23:09,759 --> 00:23:15,190 As always, go back in the video to review\n 261 00:23:15,190 --> 00:23:19,429 Also make sure to practice these commands\n 262 00:23:21,329 --> 00:23:26,730 Hands-on practice is an essential part of\nstudying for the CCNA. 263 00:23:26,730 --> 00:23:30,329 Before moving on to the quiz, here’s a quick\n 264 00:23:30,329 --> 00:23:33,099 I introduced what Dynamic ARP Inspection is. 265 00:23:33,099 --> 00:23:39,029 It’s a switch security feature similar to\n 266 00:23:39,029 --> 00:23:41,230 then decides to forward or drop the message. 267 00:23:41,230 --> 00:23:47,240 I introduced how it works and what attacks\n 268 00:23:47,240 --> 00:23:50,440 can be used to perform a man-in-the-middle\nattack. 269 00:23:50,440 --> 00:23:56,558 I also showed you how to configure DAI, while\n 270 00:23:56,558 --> 00:24:01,808 Honestly, in this video I probably gave you\n 271 00:24:01,808 --> 00:24:07,490 know for the CCNA, but I’d rather give you\n 272 00:24:07,490 --> 00:24:11,649 Make sure to watch until the end of the quiz\n 273 00:24:11,648 --> 00:24:16,418 ExSim for CCNA, my recommended practice exams\nfor the CCNA. 274 00:24:16,419 --> 00:24:21,120 Okay, let’s go to quiz question 1. 275 00:24:21,119 --> 00:24:25,829 You issue the IP ARP INSPECTION VLAN 1 command\non SW1. 276 00:24:25,829 --> 00:24:30,710 Which of the following statements is true\n 277 00:24:30,710 --> 00:24:37,298 Pause the video now to select the correct\nanswer. 278 00:24:37,298 --> 00:24:42,538 The answer is A, all interfaces in VLAN 1\nare untrusted. 279 00:24:42,538 --> 00:24:48,589 Just like in DHCP snooping, when DAI is first\n 280 00:24:49,890 --> 00:24:54,120 So, to trust specific ports you’ll have\n 281 00:24:54,119 --> 00:24:58,278 Okay, let’s go to question 2. 282 00:24:58,278 --> 00:25:01,308 The following commands are configured on SW1. 283 00:25:01,308 --> 00:25:05,558 Which of the following statements is true\n 284 00:25:05,558 --> 00:25:09,759 Pause the video now to select the best answer. 285 00:25:09,759 --> 00:25:18,329 Okay, the answer is C, DAI validation is only\n 286 00:25:18,329 --> 00:25:23,428 When configuring these optional DAI validation\n 287 00:25:23,429 --> 00:25:26,009 configure them all in a single command. 288 00:25:26,009 --> 00:25:29,298 Otherwise, only the last command entered will\ntake effect. 289 00:25:29,298 --> 00:25:34,618 Okay, let’s go to question 3. 290 00:25:34,618 --> 00:25:37,709 Which of the following are true about DAI\nrate limiting? 291 00:25:39,128 --> 00:25:44,459 Okay, pause the video now to select the two\ncorrect answers. 292 00:25:44,460 --> 00:25:52,700 Okay, the answers are B, it is enabled on\n 293 00:25:52,700 --> 00:25:56,538 at a rate of 15 packets per second by default. 294 00:25:56,538 --> 00:26:02,990 Unlike DHCP snooping rate limiting, for DAI\n 295 00:26:02,990 --> 00:26:07,298 per second on all untrusted ports by default. 296 00:26:07,298 --> 00:26:13,038 Another difference between DHCP snooping and\n 297 00:26:13,038 --> 00:26:19,788 burst interval, so the rate limit can be calculated\n 298 00:26:19,788 --> 00:26:24,908 DHCP snooping only allows you to configure\n 299 00:26:24,909 --> 00:26:28,769 Okay, let’s go to question 4. 300 00:26:28,769 --> 00:26:34,849 DAI inspects the sender IP and MAC addresses\n 301 00:26:37,159 --> 00:26:40,649 Which of the following does it check the sender\n 302 00:26:42,368 --> 00:26:46,609 Pause the video now to select the two correct\nanswers. 303 00:26:46,609 --> 00:26:55,219 Okay, the answers are B, DHCP snooping binding\n 304 00:26:55,220 --> 00:27:01,079 When DHCP snooping is enabled, the DHCP snooping\n 305 00:27:01,079 --> 00:27:04,509 lease IP addresses from DHCP servers. 306 00:27:04,509 --> 00:27:08,610 So, DAI uses that table to check ARP messages. 307 00:27:08,609 --> 00:27:14,189 However, for hosts that don’t use DHCP,\n 308 00:27:19,819 --> 00:27:25,128 Which of the following commands limit ARP\n 309 00:27:26,788 --> 00:27:30,819 Pause the video now to select the correct\nanswers. 310 00:27:30,819 --> 00:27:39,950 Okay, the answers are A, IP ARP INSPECTION\n 311 00:27:43,888 --> 00:27:49,528 Both of them will limit ARP messages received\n 312 00:27:49,528 --> 00:27:56,470 However, 45 packets over three seconds allows\n 313 00:27:56,470 --> 00:28:02,220 30 packets in 1 second, 10 packets the next\n 314 00:28:03,319 --> 00:28:08,918 However the 15 packets over 1 second setting\n 315 00:28:08,919 --> 00:28:11,100 the rate never goes over 15. 316 00:28:11,099 --> 00:28:13,988 Okay, that’s all for the quiz. 317 00:28:13,989 --> 00:28:22,819 Now let’s take a look at a bonus question\n 26132