Dynamic ARP

What is the purpose of ARP in Networking?

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses so devices can communicate on a local network. Without ARP, a device wouldn’t know the hardware address needed to deliver frames.

Q2. What are the two main ARP message types?

ARP Request (broadcast asking “Who has IP X?”) and ARP Reply (unicast response “IP X is at MAC Y”).

Q3. Why are ARP requests broadcast?

A: Because the sender doesn’t know the MAC address of the target, so it must ask all devices on the LAN.

Q4. Why are ARP replies unicast?

A: Because only the requesting device needs the answer, so the reply is sent directly to it.

Q5. Why does ARP not use an IP header?

A: ARP operates only within the local network and is encapsulated directly in Ethernet frames.

Q6. What information is stored in an ARP table?

A: IP-to-MAC mappings learned through ARP requests/replies or gratuitous ARP.

Q7. When PC1 sends an ARP request to R1, what does R1 learn?

A: R1 learns PC1’s MAC address and adds it to its ARP table, so it can reply later without sending its own ARP request.

Q8. What is a gratuitous ARP?

A: An ARP reply sent without an ARP request, usually broadcast, to proactively update ARP tables.

Q9. When might a device send a gratuitous ARP?

A: When its interface is enabled, when its IP changes, or when its MAC changes.

Q10. Why are gratuitous ARPs useful?

A: They allow other devices to learn or update ARP tables without waiting for a request, ensuring faster convergence.

Q11. What is ARP poisoning?

A: A man-in-the-middle attack where an attacker sends false ARP messages to trick devices into sending traffic to them instead of the legitimate gateway.

Q12. How does ARP poisoning work?

A: The attacker sends gratuitous ARPs claiming the gateway’s IP but with their own MAC. Victims update their ARP tables incorrectly.

Q13. What happens to PC1’s ARP table after poisoning?

A: It maps the gateway’s IP (192.168.1.1) to the attacker’s MAC, so traffic meant for the gateway goes to the attacker.

Q14. What can an attacker do after intercepting traffic?

A: Inspect packets, alter data, or forward traffic to the real gateway while staying hidden.

Q15. Why doesn’t the gateway update its ARP table with spoofed entries?

A: Because a device won’t overwrite its own IP mapping in its ARP table.

Q16. What is the purpose of DAI?

A: To prevent ARP spoofing by inspecting ARP messages on untrusted ports and discarding invalid ones.

Q18. By default, are ports trusted or untrusted when DAI is enabled?

A: All ports are untrusted by default.

Q20. Which ports should remain untrusted?

A: Ports connected to end hosts (PCs, servers).

Q23. What optional validation checks can DAI perform?

A:

• Destination MAC check: Ensures Ethernet header MAC matches ARP target MAC.

• IP check: Blocks invalid IPs (0.0.0.0, 255.255.255.255, multicast).

• Source MAC check: Ensures Ethernet header MAC matches ARP sender MAC.

Q22. How does DAI handle static IP hosts?

A: By using ARP ACLs (manual IP–MAC mappings) to permit their ARP messages.

Q21. What table does DAI use to validate ARP messages?

A: The DHCP snooping binding table, which contains IP–MAC–port mappings for DHCP clients.

Q19. Which ports should be configured as trusted?

A: Ports connected to infrastructure devices like switches or routers.

Q17. Which traffic does DAI inspect?

A: Only ARP messages; all other traffic passes normally.

Q24. What is the default ARP rate limit on untrusted ports?

A: 15 packets per second.

Q25. What happens if the ARP rate limit is exceeded?

A: The interface goes into an err-disabled state.

Q27. Which command configures a port as trusted?

interface <id>

ip arp inspection trust

Q28. Which command verifies trust state and rate limiting?

A: show ip arp inspection interfaces

Q29. Which command shows global DAI configuration and statistics?

A: show ip arp inspection

Q30. How can you recover an interface from err-disabled due to ARP inspection?

A: Use errdisable recovery cause arp-inspection.

Q26. Which command enables DAI on a VLAN?

A: ip arp inspection vlan <VLAN_ID>