350-701 · Question #64
A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will p
The correct answer is A. DHCP Snooping E. Dynamic ARP inspection. To prevent unauthorized access and spoofing, DHCP Snooping and Dynamic ARP Inspection (DAI) are critical Catalyst switch features for validating IP and MAC address bindings and preventing ARP-related attacks.
Question
A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)
Options
- ADHCP Snooping
- B802.1AE MacSec
- CPort security
- DIP Device tracking
- EDynamic ARP inspection
- FPrivate VLANs
How the community answered
(35 responses)- A83% (29)
- B9% (3)
- C6% (2)
- D3% (1)
Why each option
To prevent unauthorized access and spoofing, DHCP Snooping and Dynamic ARP Inspection (DAI) are critical Catalyst switch features for validating IP and MAC address bindings and preventing ARP-related attacks.
DHCP Snooping prevents unauthorized DHCP servers and ensures that valid IP-to-MAC address bindings are maintained in the DHCP snooping binding table, which is crucial for Dynamic ARP Inspection.
802.1AE MacSec provides point-to-point encryption for Ethernet frames, which secures data in transit but does not directly prevent a user from spoofing a printer connection for network access at Layer 2 or 3.
Port security limits the number of MAC addresses allowed on a port and can restrict specific MAC addresses, but DHCP Snooping and DAI specifically address the spoofing of IP and MAC addresses to gain access.
IP Device Tracking helps track devices on the network, but it does not actively prevent spoofing or unauthorized access in the same way DHCP Snooping and DAI do by validating ARP and DHCP traffic.
Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table, dropping invalid ARP packets to prevent ARP spoofing and Man-in-the-Middle attacks from unauthorized devices.
Private VLANs isolate ports within a VLAN at Layer 2, which helps segment traffic and contain threats, but it does not directly prevent a malicious user from spoofing an authorized device to gain initial access.
Concept tested: Catalyst switch Layer 2 security features
Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750x_cg/swdhcp.html#wp1021481
Topics
Community Discussion
No community discussion yet for this question.