nerdexam
Exams352-001Questions#560
Cisco

352-001 · Question #560

352-001 Question #560: Real Exam Question with Answer & Explanation

The correct answer is A: DHCP snooping. DHCP snooping builds the IP-to-MAC binding table, and Dynamic ARP Inspection (DAI) uses that table to validate ARP packets, together preventing ARP spoofing attacks.

Question

As a part of a network design, you should tighten security to prevent man-in-the-middle. Which two security options ensure that authorized ARP responses take place according to know IP-to- MAC address mapping? (Choose two)

Options

  • ADHCP snooping
  • BARP spoofing
  • CARP rate limiting
  • DDynamic ARP Inspection
  • EPort security

Explanation

DHCP snooping builds the IP-to-MAC binding table, and Dynamic ARP Inspection (DAI) uses that table to validate ARP packets, together preventing ARP spoofing attacks.

Common mistakes.

  • B. ARP spoofing is the attack vector being defended against, not a security control or mitigation technique.
  • C. ARP rate limiting throttles the volume of ARP packets to mitigate ARP flood attacks but does not validate IP-to-MAC mappings and cannot prevent spoofed ARP replies sent within the rate limit.
  • E. Port security restricts which MAC addresses can communicate on a switchport but does not inspect ARP packet contents or validate IP-to-MAC bindings.

Concept tested. Dynamic ARP Inspection and DHCP snooping for ARP security

Reference. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-9/configuration_guide/sec/b_179_sec_9300_cg/configuring_dynamic_arp_inspection.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 352-001 Practice