Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam 350-701 All Questions

View all questions & answers for the 350-701 exam

Exam 350-701 topic 1 question 87 discussion

Actual exam question from Cisco's 350-701
Question #: 87
Topic #: 1
[All 350-701 Questions]

A network administrator configures Dynamic ARP Inspection on a switch. After Dynamic ARP Inspection is applied, all users on that switch are unable to communicate with any destination. The network administrator checks the Interface status of all interfaces, and there is no err-disabled interface. What is causing this problem?

  • A. DHCP snooping has not been enabled on all VLANs
  • B. Dynamic ARP inspection has not been enabled on all VLANs
  • C. The ip arp inspection limit command is applied on all interfaces and is blocking the traffic of all users
  • D. The no ip arp inspection trust command is applied on all user host interfaces
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Jeeves69
Highly Voted 3 years, 7 months ago
The correct answer should be A. DHCP Snooping has not been enabled on all VLANs. DHCP Snooping is a prerequisite for Dynamic ARP Inspection (DAI). When DHCP Snooping is enabled the 'no ip arp inspection trust' command only ensures that DAI will do its job, blocking invalid traffic.
upvoted 22 times
...
brownbear505
Highly Voted 2 years, 8 months ago
Selected Answer: A
DAI requires DHCP Snooping
upvoted 7 times
...
xziomal9
Most Recent 1 year ago
Answe D
upvoted 1 times
...
DWizard
1 year, 4 months ago
Selected Answer: D
The right answer is D. DAI can obtain its IP-MAC information from DHCP snooping or from ACLs statically configured by the admin, it could work without DHCP snooping, however, by default all the interfaces become untrusted, and you have to manually set the "no ip arp inspection trust" command on interfaces connecting to other switches, even if those switches do not support DAI, so the answer is D. You can read this, it's carefully explained: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
upvoted 1 times
...
webwalker00
1 year, 5 months ago
Selected Answer: A
DHCP snooping is required for DAI.
upvoted 2 times
...
achille5
1 year, 8 months ago
Selected Answer: D
no err-disabled interfaces indicates that the problem may not be related to a physical or link-level issue, which could be the case with DHCP snooping misconfiguration. Likely option D as the cause of the problem.
upvoted 1 times
...
amtf8888
1 year, 10 months ago
Selected Answer: A
a is correct
upvoted 1 times
...
sis_net_sec
2 years, 1 month ago
Selected Answer: A
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr- i1.html#wp2458863701 the command "no ip arp inspection trust" means the port is not trusted in DAI. This means that it will inspect packets from the port for appropriate entries in the DHCP Snooping table. This is the default state. https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multiboo k/configuration_guide/b_consolidated_config_guide_3850_chapter_0110111.html err-disable on a port due to DAI comes from exceeding a rate limit.
upvoted 1 times
...
jaciro11
2 years, 11 months ago
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. It is unnecessary to perform a validation at any other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command. Answer is D
upvoted 1 times
...
birdman6709
3 years, 2 months ago
I think the issue here is the wording, the question is looking for what is causing the problem. With 'no ip arp inspection trust' enabled on all user ports, the switch is intercepting the ARP request and responses, and if there is no valid IP-to-MAC binding, the traffic is dropped and logged. So I think the answer should be D based on that.
upvoted 1 times
birdman6709
3 years, 2 months ago
I take that back actually, the answer is A. Since all the ports are untrusted anyways, as soon as DAI is enabled without DHCP snooping, they would drop since there is no IP-to-MAC binding. Adding the DHCP snooing in this case would fix the issue.
upvoted 6 times
...
...
zap_pap
3 years, 3 months ago
The answer is D. It is tricky "no ip apr inspection trust" -> Trust removed from all interfaces -> Interfaces disabled.
upvoted 1 times
...
jshow
3 years, 4 months ago
Its A Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.
upvoted 4 times
...
Dinges
3 years, 4 months ago
A NOT NECESSARILY TRUE: DHCP snooping is not REQUIRED, when ARP ACLs are configured. Also not enabling DHCP snooping only on some vlans would not cause ALL users, connected to the switch being unable to communicate. B NOT TRUE Not enabling DAI on a VLAN simply exempts the VLAN from DAI, it will not block traffic C TRUE: Rate-limit exceed can put the interface in err-disabled state. Even if its not configured by admin; it is set at 15 ARP pps by default, but admin could have configured it with even lower limit, or an actual DOS attack has occured. D NOT TRUE: No ip arp inspection trust command MUST be applied on all user HOST interfaces. Only ports leading to the DHCP server should be set as trusted (EXCEPT if the upstream switch does not have DAI enabled, then leave it as untrusted and apply ARP ACLs locally). https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html
upvoted 1 times
Dinges
3 years, 4 months ago
CORRECTION: The question explicitly mentions that no interface is in err-disabled state, so C cannot be the correct answer. D is not the cause: Packets arriving on trusted interfaces bypass all DAI validation checks, while those arriving on untrusted interfaces go through the DAI validation process. So, to me, that leaves on A as a possible answer. Im going with A
upvoted 6 times
...
...
FN21
3 years, 6 months ago
D is correct. DHCP snooping is not a prerequisite for Dynamic ARP. The question is tricky though. Since it doesn't mention about configuring DHCP snooping, issuing the "no ip apr inspection trust" command surely will kill all connections. All interfaces have become untrusted and Dynamic ARP doesn't have a DHCP snooping database to compare to.
upvoted 3 times
statikd
3 years, 4 months ago
Wrong. All switch ports connected to hosts should be untrusted. The only trusted ports should be ports connected to other switches. By default switch ports are untrusted. DHCP snooping works in conjunction with Dynamic ARP inspection. The answer is A
upvoted 3 times
...
...
dansecu
3 years, 6 months ago
Jeeves69 provided correct answer. it is A DHCP Snooping should be enable globaly and on VLANs. The IP-MAC pair is checed by DAI in DHCP database. Answer D is related to hosts interfaces and they should be always untrusted.
upvoted 3 times
...
thefiresays
3 years, 7 months ago
D is correct. By default all interfaces will be untrusted. You must have trusted interfaces facing other network devices. Interfaces connected to hosts are untrusted and will validate DHCP table bindings to decide whether to forward/drop. What Jeeves wrote is true. But not enabling DHCP snooping would not break connectivity.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...