Which configuration provides dynamic ARP inspection on access port ge-0/0/0?

Which configuration provides dynamic ARP inspection on access port ge-0/0/0?

Which configuration provides dynamic ARP inspection on access port ge-0/0/0?

A.
secure-access-port {
interface ge-0/0/0.0 {
dhcp-trusted;
}
vlan vlan10 {
arp-inspection;
examine-dhcp;
}
}

B.
secure-access-port {
interface ge-0/0/0.0 {
dhcp-trusted;
}
vlan vlan10 {
dynamic-arp-inspection;
}
}

C.
secure-access-port {
interface ge-0/0/0.0 {
no-dhcp-trusted;
}
vlan vlan10 {
dynamic-arp-inspection;
examine-dhcp;
}
}

D.
secure-access-port {
interface ge-0/0/0.0 {
static-ip 255.255.255.255
}
vlan vlan10 {
arp-inspection;
}
}

Explanation:
Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Dynamic ARP inspection (DAI) feature in EX switches prevents ARP spoofing attacks. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. The information below describes the DAI feature and the CLI commands that enable this feature.

Solution:
DAI feature in EX series switches examines ARP requests and responses on the LAN and validates ARP packets. The switch intercepts ARP packets from an access port and validates them against the DHCP snooping database. If no IP-MAC entry in the database corresponds to the information in the ARP packet, DAI drops the ARP packet and the local ARP cache is not updated with the information in that packet. DAI also drops ARP packets when the IP address in the packet is invalid. JUNOS for EX-series software uses DAI for ARP packets received on access ports, because these ports are, by default, untrusted . By default, Trunk ports are trusted , so ARP packets bypass DAI on them.
You can configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs. You can set an interface to be trusted for ARP packets by setting dhcp-trusted on that port. For packets directed to the switch to which a network device is connected, ARP queries are broadcast on the VLAN. The ARP responses to those queries are subjected to the DAI check. For DAI, all ARP packets are trapped to the Routing Engine. To prevent CPU overloading, ARP packets destined for the Routing Engine are rate-limited. If the DHCP server goes down and the lease time for an IP-MAC entry for a previously valid ARP packet runs out, that packet is blocked
To set an interface as trusted for ARP packets:
[edit ethernet-switching-options]
user@switch# show
secure-access-port {
interface ge-0/0/20.0 {
dhcp-trusted;
}
}

All ARP queries directed to the switch are broadcast out all ports assigned to the associated VLAN. ARP responses to those queries are subjected to the DAI check. ARP packets are sent to and reviewed by the Routing Engine. To prevent CPU overloading, ARP packets destined for the Routing Engine are rate-limited.
To configure DAI on aVLAN:
[edit ethernet-switching-options]
user@switch# show
secure-access-port{
vlan <vlan-name> {
arp-inspection;
}
}



Leave a Reply 2

Your email address will not be published. Required fields are marked *


Kevin

Kevin

It should be answer C.
If you indicate an interface with dhcp-trusted, it marks that interface as trusted and bypassess ARP inspection

Jonathan

Jonathan

Totally agree, but what is wrong with C is that “dynamic-arp-inspection” does not exist. It should be just “arp-inspection”.

So both A and C are incorrect and correct at the same time.

They should correct C by replacing “dynamic-arp-inspection” with “arp-inspection”, then C would be correct,

or

They should correct A by replacing “dhcp-trusted” with “no-dhcp-trusted” and then A would be correct.