Which configuration provides dynamic ARP inspection on access port ge-0/0/0?
A.
secure-access-port {
interface ge-0/0/0.0 {
dhcp-trusted;
}
vlan vlan10 {
arp-inspection;
examine-dhcp;
}
B.
secure-access-port {
interface ge-0/0/0.0 {
dhcp-trusted;
}
vlan vlan10 {
dynamic-arp-inspection;
}
C.
secure-access-port {
interface ge-0/0/0.0 {
no-dhcp-trusted;
}
vlan vlan10 {
dynamic-arp-inspection;
examine-dhcp;
}
D.
secure-access-port {
interface ge-0/0/0.0 {
static-ip 255.255.255.255
}
vlan vlan10 {
arp-inspection;
}
In my opinion, the answer should be C, because the dhcp-trusted option switches off dhcp-snooping and DAI on the interface.
See: http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/port-security-dynamic-arp-inspection.html
0
0
read closer: DAI is set at the VLAN level. dhcp-trusted simply means that a port is trusted:
DAI examines ARP requests and responses on the LAN and validates ARP packets. The switch intercepts ARP packets from an access port and validates them against the DHCP snooping database. If no IP-MAC entry in the database corresponds to the information in the ARP packet, DAI drops the ARP packet and the local ARP cache is not updated with the information in that packet. DAI also drops ARP packets when the IP address in the packet is invalid. ARP probe packets are not subjected to dynamic ARP inspection. The switch always forwards such packets.
Junos OS for EX Series switches and the QFX Series uses DAI for ARP packets received on access ports because these ports are untrusted by default. Trunk ports are trusted by default, and therefore ARP packets bypass DAI on them.
You configure DAI for each VLAN, not for each interface (port). By default, DAI is disabled for all VLANs. <VLAN
If you set an interface to be a DHCP trusted port, it is also trusted for ARP packets.
0
0
http://www.juniper.net/documentation/en_US/junos12.1/topics/reference/configuration-statement/no-dhcp-trusted-edit-ethernet-switching-options-secure-access-port-qfx-series.html
0
0
Port security features, such as DHCP snooping and dynamic ARP inspection inspect packets only on untrusted interfaces.
0
0
I think the tie in this question is the word “arp-inspection”. In order to configure DAI, the correct command is arp-inspection under secure-access-port and after that under vlan X. It doesn’t exist the command “dynamic-arp-inspection” so this leaves only the anwer A and D as the right one. And when you configure DAI you must configure also the DHCP Snooping,it means, the “examine-dhcp”. Therefore, from my point of view, the right answer is A.
0
0