nerdexam
Cisco

350-701 · Question #64

A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will p

The correct answer is A. DHCP Snooping E. Dynamic ARP inspection. To prevent unauthorized access and spoofing, DHCP Snooping and Dynamic ARP Inspection (DAI) are critical Catalyst switch features for validating IP and MAC address bindings and preventing ARP-related attacks.

Submitted by mike_84· Mar 30, 2026Secure Network Access, Visibility, and Enforcement

Question

A malicious user gained network access by spoofing printer connections that were authorized using MAB on four different switch ports at the same time. What two catalyst switch security features will prevent further violations? (Choose two)

Options

  • ADHCP Snooping
  • B802.1AE MacSec
  • CPort security
  • DIP Device tracking
  • EDynamic ARP inspection
  • FPrivate VLANs

How the community answered

(35 responses)
  • A
    83% (29)
  • B
    9% (3)
  • C
    6% (2)
  • D
    3% (1)

Why each option

To prevent unauthorized access and spoofing, DHCP Snooping and Dynamic ARP Inspection (DAI) are critical Catalyst switch features for validating IP and MAC address bindings and preventing ARP-related attacks.

ADHCP SnoopingCorrect

DHCP Snooping prevents unauthorized DHCP servers and ensures that valid IP-to-MAC address bindings are maintained in the DHCP snooping binding table, which is crucial for Dynamic ARP Inspection.

B802.1AE MacSec

802.1AE MacSec provides point-to-point encryption for Ethernet frames, which secures data in transit but does not directly prevent a user from spoofing a printer connection for network access at Layer 2 or 3.

CPort security

Port security limits the number of MAC addresses allowed on a port and can restrict specific MAC addresses, but DHCP Snooping and DAI specifically address the spoofing of IP and MAC addresses to gain access.

DIP Device tracking

IP Device Tracking helps track devices on the network, but it does not actively prevent spoofing or unauthorized access in the same way DHCP Snooping and DAI do by validating ARP and DHCP traffic.

EDynamic ARP inspectionCorrect

Dynamic ARP Inspection (DAI) validates ARP packets against the DHCP snooping binding table, dropping invalid ARP packets to prevent ARP spoofing and Man-in-the-Middle attacks from unauthorized devices.

FPrivate VLANs

Private VLANs isolate ports within a VLAN at Layer 2, which helps segment traffic and contain threats, but it does not directly prevent a malicious user from spoofing an authorized device to gain initial access.

Concept tested: Catalyst switch Layer 2 security features

Source: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750x_cg/swdhcp.html#wp1021481

Topics

#MAB spoofing#DHCP snooping#dynamic ARP inspection#Layer 2 switch security

Community Discussion

No community discussion yet for this question.

Full 350-701 Practice