300-320 · Question #578
300-320 Question #578: Real Exam Question with Answer & Explanation
The correct answer is C: Utilize DHCP snooping on a per VLAN basis an apply ip dhcp snooping untrusted on all ports. DHCP Snooping (C) is a Layer 2 security feature that builds a binding table of legitimate IP-to-MAC-to-port mappings by inspecting DHCP exchanges. Applied per VLAN with untrusted designation on access ports, it prevents rogue DHCP servers from assigning false IP addresses to clie
Question
Options
- AUtilize the native VLAN only on trunk ports to reduce the risk of an Double-Tagged 802.1q VLAN
- BUtilize an access list to prevent the use of ARP to modify entries to the table
- CUtilize DHCP snooping on a per VLAN basis an apply ip dhcp snooping untrusted on all ports
- DUtilize the ARP inspection feature to help prevent the misuse of gARP
- EUtilize private VLANs an ensure that all ports are part of the isolated port group
Explanation
DHCP Snooping (C) is a Layer 2 security feature that builds a binding table of legitimate IP-to-MAC-to-port mappings by inspecting DHCP exchanges. Applied per VLAN with untrusted designation on access ports, it prevents rogue DHCP servers from assigning false IP addresses to clients, protecting Layer 3 addressing integrity. Dynamic ARP Inspection (D) uses the DHCP snooping binding table to validate ARP packets and prevent Gratuitous ARP (gARP) abuse - a common technique in ARP poisoning/spoofing attacks where a malicious host broadcasts fake ARP replies to redirect traffic. These two features work together as a foundational Layer 2 security pair. Option A is incorrect - the native VLAN should NOT be used on trunk ports (it should be changed to an unused VLAN) to prevent double-tagging attacks. Option B is incorrect - ACLs cannot directly control ARP table modifications. Option E (private VLANs with isolated ports) is overly restrictive and not a standard baseline security measure.
Community Discussion
No community discussion yet for this question.