Question:
Refer to the exhibit. What is the effect of this configuration?
- A. The switch port interface trust state becomes untrusted.
- B. The switch port remains administratively down until the interface is connected to another switch.
- C. Dynamic ARP inspection is disabled because the ARP ACL is missing.
- D. The switch port remains down until it is configured to trust or untrust incoming packets.
Exam with this question: CA201
IFixYourWrongAnswers replied 1 year ago
The configuration shown is configuring Dynamic ARP Inspection (DAI) on VLAN 2 and configuring FastEthernet 0/1 as an access port in VLAN 2. Therefore, the correct answer is D. The switch port remains down until it is configured to trust or untrust incoming packets.
Dynamic ARP Inspection (DAI) is a security feature that prevents Address Resolution Protocol (ARP) spoofing attacks on a network. When DAI is enabled on a switch, it verifies the validity of ARP packets by comparing the sender’s IP and MAC addresses against entries in the DHCP snooping binding table or ARP access list. If the ARP packet is invalid, it is dropped.
By configuring “ip arp inspection vlan 2”, DAI is enabled on VLAN 2. Then, the “interface fastethernet 0/1” command is used to configure FastEthernet 0/1 as an access port in VLAN 2. However, when DAI is enabled on a switch port, the port is placed in an “untrusted” state by default, meaning that incoming packets are dropped until they are verified as valid by DAI.
To allow traffic to flow through the port, it is necessary to configure the port as “trusted” using the “ip arp inspection trust” command, or to configure an ARP access list to explicitly allow certain types of ARP packets. Therefore, the switch port remains down until it is configured to trust or untrust incoming packets, making option D the correct answer.
Why would it not be A?
Option A, “The switch port interface trust state becomes untrusted”, could be a possible answer if the configuration included a command to explicitly configure the port as untrusted, such as “ip arp inspection trust none”. However, in the configuration provided, there is no command that explicitly sets the port as untrusted.
When DAI is enabled on a switch, the switch port is in an “untrusted” state by default. Therefore, incoming packets on an untrusted port are dropped until they are verified as valid by DAI. However, in the configuration provided, the switch port is not configured as untrusted, nor is there any command that would cause the trust state to change. Therefore, option A is not the correct answer.
The correct answer is D, “The switch port remains down until it is configured to trust or untrust incoming packets”, as the port is not configured as trusted or untrusted and is therefore in a down state.
Please login or Register to submit your answer
The configuration shown is configuring Dynamic ARP Inspection (DAI) on VLAN 2 and configuring FastEthernet 0/1 as an access port in VLAN 2. Therefore, the correct answer is D. The switch port remains down until it is configured to trust or untrust incoming packets.
Dynamic ARP Inspection (DAI) is a security feature that prevents Address Resolution Protocol (ARP) spoofing attacks on a network. When DAI is enabled on a switch, it verifies the validity of ARP packets by comparing the sender’s IP and MAC addresses against entries in the DHCP snooping binding table or ARP access list. If the ARP packet is invalid, it is dropped.
By configuring “ip arp inspection vlan 2”, DAI is enabled on VLAN 2. Then, the “interface fastethernet 0/1” command is used to configure FastEthernet 0/1 as an access port in VLAN 2. However, when DAI is enabled on a switch port, the port is placed in an “untrusted” state by default, meaning that incoming packets are dropped until they are verified as valid by DAI.
To allow traffic to flow through the port, it is necessary to configure the port as “trusted” using the “ip arp inspection trust” command, or to configure an ARP access list to explicitly allow certain types of ARP packets. Therefore, the switch port remains down until it is configured to trust or untrust incoming packets, making option D the correct answer.
Why would it not be A?
Option A, “The switch port interface trust state becomes untrusted”, could be a possible answer if the configuration included a command to explicitly configure the port as untrusted, such as “ip arp inspection trust none”. However, in the configuration provided, there is no command that explicitly sets the port as untrusted.
When DAI is enabled on a switch, the switch port is in an “untrusted” state by default. Therefore, incoming packets on an untrusted port are dropped until they are verified as valid by DAI. However, in the configuration provided, the switch port is not configured as untrusted, nor is there any command that would cause the trust state to change. Therefore, option A is not the correct answer.
The correct answer is D, “The switch port remains down until it is configured to trust or untrust incoming packets”, as the port is not configured as trusted or untrusted and is therefore in a down state.