Exam 350-701 topic 1 question 87 discussion

The correct answer should be A. DHCP Snooping has not been enabled on all VLANs. DHCP Snooping is a prerequisite for Dynamic ARP Inspection (DAI). When DHCP Snooping is enabled the 'no ip arp inspection trust' command only ensures that DAI will do its job, blocking invalid traffic.

DAI requires DHCP Snooping

Answe D

The right answer is D. DAI can obtain its IP-MAC information from DHCP snooping or from ACLs statically configured by the admin, it could work without DHCP snooping, however, by default all the interfaces become untrusted, and you have to manually set the "no ip arp inspection trust" command on interfaces connecting to other switches, even if those switches do not support DAI, so the answer is D. You can read this, it's carefully explained: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

DHCP snooping is required for DAI.

no err-disabled interfaces indicates that the problem may not be related to a physical or link-level issue, which could be the case with DHCP snooping misconfiguration. Likely option D as the cause of the problem.

a is correct

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr/command/ipaddr-cr-book/ipaddr- i1.html#wp2458863701 the command "no ip arp inspection trust" means the port is not trusted in DAI. This means that it will inspect packets from the port for appropriate entries in the DHCP Snooping table. This is the default state. https://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/multiboo k/configuration_guide/b_consolidated_config_guide_3850_chapter_0110111.html err-disable on a port due to DAI comes from exceeding a rate limit.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. It is unnecessary to perform a validation at any other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command. Answer is D

I think the issue here is the wording, the question is looking for what is causing the problem. With 'no ip arp inspection trust' enabled on all user ports, the switch is intercepting the ARP request and responses, and if there is no valid IP-to-MAC binding, the traffic is dropped and logged. So I think the answer should be D based on that.

The answer is D. It is tricky "no ip apr inspection trust" -> Trust removed from all interfaces -> Interfaces disabled.

Its A Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.

A NOT NECESSARILY TRUE: DHCP snooping is not REQUIRED, when ARP ACLs are configured. Also not enabling DHCP snooping only on some vlans would not cause ALL users, connected to the switch being unable to communicate. B NOT TRUE Not enabling DAI on a VLAN simply exempts the VLAN from DAI, it will not block traffic C TRUE: Rate-limit exceed can put the interface in err-disabled state. Even if its not configured by admin; it is set at 15 ARP pps by default, but admin could have configured it with even lower limit, or an actual DOS attack has occured. D NOT TRUE: No ip arp inspection trust command MUST be applied on all user HOST interfaces. Only ports leading to the DHCP server should be set as trusted (EXCEPT if the upstream switch does not have DAI enabled, then leave it as untrusted and apply ARP ACLs locally). https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

D is correct. DHCP snooping is not a prerequisite for Dynamic ARP. The question is tricky though. Since it doesn't mention about configuring DHCP snooping, issuing the "no ip apr inspection trust" command surely will kill all connections. All interfaces have become untrusted and Dynamic ARP doesn't have a DHCP snooping database to compare to.

Jeeves69 provided correct answer. it is A DHCP Snooping should be enable globaly and on VLANs. The IP-MAC pair is checed by DAI in DHCP database. Answer D is related to hosts interfaces and they should be always untrusted.

D is correct. By default all interfaces will be untrusted. You must have trusted interfaces facing other network devices. Interfaces connected to hosts are untrusted and will validate DHCP table bindings to decide whether to forward/drop. What Jeeves wrote is true. But not enabling DHCP snooping would not break connectivity.