Dynamic ARP Inspection — Validation Checks
Harden Dynamic ARP Inspection (DAI) on an access switch by enabling additional packet validation checks: source MAC, destination MAC, and IP sanity. The uplink toward the DHCP server/gateway is trusted, access ports are untrusted. DHCP Snooping and baseline DAI are already enabled for VLAN 10; your task is to add the global DAI validation knobs and verify the change deterministically via show commands.
Dynamic ARP Inspection
Harden the Layer-2 access edge by enabling Dynamic ARP Inspection (DAI) on a single access switch. DHCP Snooping is already in place and the uplink toward the DHCP server/gateway is trusted. Your job: enable DAI for VLAN 10 and trust the uplink so ARP on host-facing ports is validated against the DHCP Snooping bindings.
Errdisable Recovery for L2 Security
CCNP Layer 2 Security Hardening, Lab 9/10. You will enable automatic errdisable recovery on a campus access switch so ports shut down by Layer-2 security (Dynamic ARP Inspection, DHCP rate-limit, or storm control) can return to service automatically after a safe interval. The switch already enforces DHCP snooping with a correct trust boundary, DAI validation, and broadcast/multicast/unicast storm-control with shutdown actions. Your job: turn on errdisable auto-recovery for arp-inspection, dhcp-rate-limit, and storm-control, and set the interval to 60 seconds. Verify with show errdisable recovery.
Defense in Depth: DHCP Snooping + DAI
Harden the Layer-2 access edge by deploying a unified trust boundary for DHCP Snooping and Dynamic ARP Inspection (DAI) on a single access switch. R1 is both the default gateway and DHCP server for VLAN 10. You will enable DHCP Snooping and DAI globally for VLAN 10 and set the same uplink interface as trusted for both features, leaving host-facing access ports untrusted. This lab emphasizes the dependency and synergy between DHCP Snooping and DAI for blocking rogue DHCP/ARP activity. Grade scope: SW1 config only.