312-50V11 · Question #658
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.
The correct answer is A. Use port security on his switches. B. Use a tool like ARPwatch to monitor for strange ARP activity. D. If you have a small network, use static ARP entries.. Effective ARP spoofing prevention combines switch-level enforcement and traffic monitoring; firewalls and static IPs do not address the layer 2 ARP attack surface.
Question
A network admin contacts you. He is concerned that ARP spoofing or poisoning might occur on his network. What are some things he can do to prevent it? Select the best answers.
Options
- AUse port security on his switches.
- BUse a tool like ARPwatch to monitor for strange ARP activity.
- CUse a firewall between all LAN segments.
- DIf you have a small network, use static ARP entries.
- EUse only static IP addresses on all PC's.
How the community answered
(46 responses)- A72% (33)
- C9% (4)
- E20% (9)
Why each option
Effective ARP spoofing prevention combines switch-level enforcement and traffic monitoring; firewalls and static IPs do not address the layer 2 ARP attack surface.
Port security on switches restricts which MAC addresses may communicate on a given port, preventing attackers from injecting forged ARP replies from unauthorized devices.
ARPwatch passively monitors ARP traffic and alerts administrators when IP-to-MAC mappings change unexpectedly, providing early detection of active spoofing or poisoning attempts.
Firewalls operate at layer 3 and above and cannot inspect or block ARP packets, which are layer 2 broadcast frames that do not traverse router boundaries.
Static ARP entries permanently bind an IP address to a specific MAC address in the ARP cache, making those entries immune to being overwritten by malicious ARP replies - a practical control on small, stable networks.
Static IP assignment controls address configuration at layer 3 but does nothing to prevent an attacker from broadcasting fraudulent ARP replies that poison layer 2 MAC-to-IP mappings.
Concept tested: ARP spoofing prevention at layer 2 using port security and monitoring
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html
Topics
Community Discussion
No community discussion yet for this question.