Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
16 Cards in this Set
- Front
- Back
Global command to enable dhcp snooping for one or more VLANs |
ip dhcp snooping vlan (vlan-range) |
|
Interface command to create a trusted interface (dhcp snooping) |
ip dhcp snooping trust |
|
Where should the command "ip dhcp snooping trust" be configured? |
A port which a DHCP server exists behind (also needs to be configured on trunk ports and WAN ports if necessary) |
|
Global command to add static entries to the DHCP snooping binding database |
ip dhcp snooping binding (mac-address) vlan (vlan-id) (ip-address) interface (interface-id) expiry (seconds) |
|
Interface subcommand to add the optional check of the ethernet source MAC address to be equal to a DHCP request's client id |
ip dhcp snooping verify mac-address |
|
Sets the maximum number of dhcp messages per second to mitigate DoS attacks |
ip dhcp snooping limit rate (rate) |
|
Global command to enable DAI |
Ip arp inspection vlan (vlan-range) |
|
Interface subcommand that disables DAI on the interface. (Interface defaults to enabled after the "ip arp inspection" global command has been configured.) |
Ip arp inspection trust |
|
Global command to refer to an ARP acl that defines static IP/MAC addresses to be checked by DAI for that VLAN |
ip arp inspection filter (ACL-NAME) vlan (VLAN-RANGE) [static] |
|
Enables additional optional checking of ARP messages |
ip ARP inspection validate {[src-mac] [dst-mac] [ip]} |
|
Limits the arp message rate to prevent DoS attacks |
Ip arp inspection limit {rate (PPS) [burst interval (seconds)] | none} |
|
What effect does the "update arp" command have when configured under the dhcp pool? |
The update arp command 'locks' the ARP entries in the ARP cache as the router assigns IP addresses via DHCP. The secured ARP entries cannot be removed from the cache by the clear arp-cache command. To remove the secure ARP entries, the DHCP bindings must also be deleted (clear ip dhcp binding). |
|
What effect does the subinterface command "authorize arp" have"? |
DHCP Authorized ARP disables dynamic ARP learning on an interface; therefore, you need to configure the ARP static entry |
|
Port security only works on: |
-Static trunks and access ports. Dynamic ports are not supported. |
|
If the port is an access-port configured with access and voice VLANs, youcan use commands to impose restrictions on just two VLANs, without evermentioning their numbers: |
switchport port-security maximum # vlan{access|voice} |
|
Subinterface command to define MAC address timeouts: |
switchport port-security aging timeout switchport port-security aging type {absolute|inactivity} |