Welcome to the Cisco CCMP switch 301 or five example of series. My name is Philip Mention Ali and in today's every sword will focus on dynamic RP inspection. Dynamic AARP inspection is a security feature which validates our pockets in the network. It intercepts logs and discard our pockets with involved idea to mark address by Indians.
This capability protects the network
on some money in the middle attacks
you want to trust the port's going to your server on your trunk links. When you enable dynamic RP inspection,
you're gonna configure the port's going to host as untrusted on again for its going to your switches has trusted in addition to port, score into your servers by default. All the interfaces are entrusted when you enable dynamic AARP inspection from global configuration mode. You really see the command I t. ARP inspection
villain on your specify. If it's a single villain or a range of villains
which you want to enable dynamic RP inspection
optionally, you can turn on more validation by using a command I PR inspection valid it on their number of options available. If you use the validate keyword
optionally, you can also apply a filter which would call on AARP. You seal on the ports that are going to your servers on your switches.
You want to trust those sports? So you, Woody See this? Come on. I t ARP Inspection Trust from the interfere subcontract oration. Mood to verify you would use the common showing the AARP inspection.
I'm gonna bring up a lot. No. So we'll see how we can configure dynamic AARP inspection. We will consider a dynamic AARP inspection on and White Core one and then we'll perform some tests between N y. 11
going to N Y edge one
country. The traffic is taken the G zero zuri into fists on goes through and white core one on, then goes up the N Y Edge one. Let's start on dynamic AARP inspection and White core one
Kerry conceeded Various options filter. If we want to specify an r P s yell,
we are some lot before options. We have the validate keyword which we can use to perform for the validation. And then there's a villain keyword. So we'll choose villain
here. We'll specify all over villains.
So we'll specified these two villains one and then we put a comma
and specify the second villain
If I wanted a range of villains
When I specify the forest villain, I would put a hyphen.
I never specified a range of villains.
If I m press, if I press enter here dynamic, our inspection will be enabled on Villain one through 999
So I was just in the other day and I make our inspection on the view and won a 99.
No, we're going to start to see a number of messages, appearance,
every concedes, his switch dynamic, our inspection, the city stupid deny. So this is a typical message you're gonna see when you enable dynamic carp inspection because all ports are entrusted by default. As we mentioned on the slides,
Harry, consider invalid AARP entries common in on. We also see their mark address in addition to the i p address.
So no, let's go across the n y 11
so well paying the 1 92 1/60
That's 16 not one i p that resides on an ally edge one
on his G 00 interface.
So overhearing and white 11 Let's try to ping the one into 1 68 69 1 90
And as you can see, the pings are failing. Saying already to fix this, we need to trust the ports
on and white core one on interfaces between
And why EJ one on anyway, 11
in this case is gonna be the fastest. That 101 on faceted ones here too in the fiercest,
I will use the interference orange. Come on, don't play the same command
on the Commander's I p R Inspection trust.
So as we can see, the command was executed successfully.
But because this is a love environment, you're gonna see some strange
outputs from time to time. Go across bucked and white 11 on reissue The ping
There you go so you can see the power of the MPRP inspection feature like ways. If I wanted a ping from and white 11
across the n y court too,
I would need to cross these two ports
better between and white core one and and wait Quarto. So that's how you can trigger dynamic AARP inspection on the verify over in and like or one we can easy to come and enjoy the AARP inspection.
Now we can specify the villain.
This case is well on one.
From here, we can see under configuration, it says. Enabled
on it's currently active
Our options we can specify in the faces
the only one Look at one particular interface.
There you go. We can see it says interested.
It's cool. Really trusted
for the fast that 101 interferes.
Now when you see this common without specifying interferes, we're going to see all of the interferes is trust states. All right, let's go back the slates.
We have a post assessment question Which command configures support us. Trusted
A from interference up configuration. Would we see the command of the AARP inspection trust?
Or be from global configuration mode? We see the Command i p AARP Inspection Trust or C
from global configuration. What we used to come on I p R. Trust inspection.
And the answer is a on the interfere subcontract oration. More tree with easy, the common i d RP inspection Trust.
In today's lecture, we worked with dynamic AARP inspection for us. We saw how we would set up dynamic are pre inspection on a switch
on. We saw the effects of dynamic AARP inspection.
We didn't. Somehow we would set a report to be trusted.
Finally, we performed verification,
not dynamic. AARP inspection uses the DCP snooping databases for a very vacation for Peter Mark address by Indians.
So I usually run dynamic carp inspection on the NCP sloping side by side.
If for some strange reason the itsy piece Lupin is not running your switches, well, then you would create RP seals
on apply it as a filter using the I P AARP inspection filter common on specified RP seal on dynamic AARP inspection would use the RPG seal the Eater, poor mitt or deny your pockets.
In the next video, we look at port Security. This is Philip in Shinano One Thank you, which was in cyber