Cisco
400-007 · Question #218
400-007 Question #218: Real Exam Question with Answer & Explanation
The correct answer is A: MACsec. MACsec provides Layer 2 antispoofing and encryption implemented entirely in hardware ASICs, delivering line-rate performance with no encryption overhead regardless of packet size.
Question
Which technology supports antispoofing and does not have any impact on encryption performance regardless of packet size?
Options
- AMACsec
- BIP source guard
- CDHCP snooping with DAI
- DIPsec
Explanation
MACsec provides Layer 2 antispoofing and encryption implemented entirely in hardware ASICs, delivering line-rate performance with no encryption overhead regardless of packet size.
Common mistakes.
- B. IP Source Guard prevents IP address spoofing by binding traffic to DHCP-assigned IP-to-MAC mappings, but it involves no encryption whatsoever, making encryption performance irrelevant to it.
- C. DHCP snooping combined with Dynamic ARP Inspection (DAI) mitigates ARP and DHCP spoofing at Layer 2, but neither technology performs encryption, so they cannot satisfy the encryption performance requirement.
- D. IPsec performs Layer 3 encryption that is often software-assisted or uses general-purpose processors, introducing per-packet overhead that disproportionately impacts small packets and causes performance to vary significantly with packet size.
Concept tested. MACsec hardware-based Layer 2 encryption and antispoofing
Community Discussion
No community discussion yet for this question.