Time
3 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Transcription

00:00
Welcome to the Cisco CCMP switch 301 or five example of series. My name is Philip Mention Ali and in today's every sword will focus on dynamic RP inspection. Dynamic AARP inspection is a security feature which validates our pockets in the network. It intercepts logs and discard our pockets with involved idea to mark address by Indians.
00:18
This capability protects the network
00:20
on some money in the middle attacks
00:22
you want to trust the port's going to your server on your trunk links. When you enable dynamic RP inspection,
00:29
you're gonna configure the port's going to host as untrusted on again for its going to your switches has trusted in addition to port, score into your servers by default. All the interfaces are entrusted when you enable dynamic AARP inspection from global configuration mode. You really see the command I t. ARP inspection
00:47
villain on your specify. If it's a single villain or a range of villains
00:51
which you want to enable dynamic RP inspection
00:54
optionally, you can turn on more validation by using a command I PR inspection valid it on their number of options available. If you use the validate keyword
01:04
optionally, you can also apply a filter which would call on AARP. You seal on the ports that are going to your servers on your switches.
01:12
You want to trust those sports? So you, Woody See this? Come on. I t ARP Inspection Trust from the interfere subcontract oration. Mood to verify you would use the common showing the AARP inspection.
01:23
I'm gonna bring up a lot. No. So we'll see how we can configure dynamic AARP inspection. We will consider a dynamic AARP inspection on and White Core one and then we'll perform some tests between N y. 11
01:34
going to N Y edge one
01:37
country. The traffic is taken the G zero zuri into fists on goes through and white core one on, then goes up the N Y Edge one. Let's start on dynamic AARP inspection and White core one
01:49
Kerry conceeded Various options filter. If we want to specify an r P s yell,
01:53
we are some lot before options. We have the validate keyword which we can use to perform for the validation. And then there's a villain keyword. So we'll choose villain
02:05
here. We'll specify all over villains.
02:10
So we'll specified these two villains one and then we put a comma
02:17
and specify the second villain
02:20
If I wanted a range of villains
02:23
When I specify the forest villain, I would put a hyphen.
02:28
I never specified a range of villains.
02:30
If I m press, if I press enter here dynamic, our inspection will be enabled on Villain one through 999
02:42
So I was just in the other day and I make our inspection on the view and won a 99.
02:49
No, we're going to start to see a number of messages, appearance,
02:53
every concedes, his switch dynamic, our inspection, the city stupid deny. So this is a typical message you're gonna see when you enable dynamic carp inspection because all ports are entrusted by default. As we mentioned on the slides,
03:07
Harry, consider invalid AARP entries common in on. We also see their mark address in addition to the i p address.
03:16
So no, let's go across the n y 11
03:19
Perform a ping
03:21
Oh, and why EJ one
03:23
so well paying the 1 92 1/60
03:25
That's 16 not one i p that resides on an ally edge one
03:32
on his G 00 interface.
03:39
So overhearing and white 11 Let's try to ping the one into 1 68 69 1 90
03:51
And as you can see, the pings are failing. Saying already to fix this, we need to trust the ports
03:55
on and white core one on interfaces between
03:59
And why EJ one on anyway, 11
04:02
in this case is gonna be the fastest. That 101 on faceted ones here too in the fiercest,
04:11
I will use the interference orange. Come on, don't play the same command
04:15
The boat interfaces
04:16
on the Commander's I p R Inspection trust.
04:24
So as we can see, the command was executed successfully.
04:27
But because this is a love environment, you're gonna see some strange
04:30
outputs from time to time. Go across bucked and white 11 on reissue The ping
04:39
There you go so you can see the power of the MPRP inspection feature like ways. If I wanted a ping from and white 11
04:47
across the n y court too,
04:49
I would need to cross these two ports
04:53
better between and white core one and and wait Quarto. So that's how you can trigger dynamic AARP inspection on the verify over in and like or one we can easy to come and enjoy the AARP inspection.
05:05
Now we can specify the villain.
05:10
This case is well on one.
05:14
From here, we can see under configuration, it says. Enabled
05:17
on it's currently active
05:19
under operation.
05:21
Our options we can specify in the faces
05:26
the only one Look at one particular interface.
05:30
There you go. We can see it says interested.
05:32
It's cool. Really trusted
05:34
for the fast that 101 interferes.
05:41
Now when you see this common without specifying interferes, we're going to see all of the interferes is trust states. All right, let's go back the slates.
05:48
We have a post assessment question Which command configures support us. Trusted
05:53
A from interference up configuration. Would we see the command of the AARP inspection trust?
05:59
Or be from global configuration mode? We see the Command i p AARP Inspection Trust or C
06:04
from global configuration. What we used to come on I p R. Trust inspection.
06:11
And the answer is a on the interfere subcontract oration. More tree with easy, the common i d RP inspection Trust.
06:16
In today's lecture, we worked with dynamic AARP inspection for us. We saw how we would set up dynamic are pre inspection on a switch
06:23
on. We saw the effects of dynamic AARP inspection.
06:26
We didn't. Somehow we would set a report to be trusted.
06:29
Finally, we performed verification,
06:31
not dynamic. AARP inspection uses the DCP snooping databases for a very vacation for Peter Mark address by Indians.
06:39
So I usually run dynamic carp inspection on the NCP sloping side by side.
06:44
If for some strange reason the itsy piece Lupin is not running your switches, well, then you would create RP seals
06:49
on apply it as a filter using the I P AARP inspection filter common on specified RP seal on dynamic AARP inspection would use the RPG seal the Eater, poor mitt or deny your pockets.
07:01
In the next video, we look at port Security. This is Philip in Shinano One Thank you, which was in cyber

Up Next

CCNP Switch - 300-115

This course is engineered to prepare you for your CISCO Certified Network Professional CCNP Switch 300 - 115. In this course, we will cover all the main domains present in the current version of the CCNP Exam which are centered around infrastructure security and services and layer 2 technologies.

Instructed By

Instructor Profile Image
Philip Inshanally
Network Administrator
Instructor