nerdexam
Cisco

400-007 · Question #218

Which technology supports antispoofing and does not have any impact on encryption performance regardless of packet size?

The correct answer is A. MACsec. MACsec provides Layer 2 antispoofing and encryption implemented entirely in hardware ASICs, delivering line-rate performance with no encryption overhead regardless of packet size.

Designing Security

Question

Which technology supports antispoofing and does not have any impact on encryption performance regardless of packet size?

Options

  • AMACsec
  • BIP source guard
  • CDHCP snooping with DAI
  • DIPsec

How the community answered

(30 responses)
  • A
    83% (25)
  • B
    3% (1)
  • C
    3% (1)
  • D
    10% (3)

Why each option

MACsec provides Layer 2 antispoofing and encryption implemented entirely in hardware ASICs, delivering line-rate performance with no encryption overhead regardless of packet size.

AMACsecCorrect

MACsec (IEEE 802.1AE) is a Layer 2 hop-by-hop encryption standard that provides confidentiality, data integrity, and protection against replay and spoofing attacks on Ethernet links. Its encryption engine is implemented in dedicated hardware ASICs built into network interface cards and switches, which process frames at line rate independent of frame size. This hardware offload means there is zero CPU involvement and no performance degradation whether packets are 64 bytes or 9000 bytes, unlike software-based encryption schemes.

BIP source guard

IP Source Guard prevents IP address spoofing by binding traffic to DHCP-assigned IP-to-MAC mappings, but it involves no encryption whatsoever, making encryption performance irrelevant to it.

CDHCP snooping with DAI

DHCP snooping combined with Dynamic ARP Inspection (DAI) mitigates ARP and DHCP spoofing at Layer 2, but neither technology performs encryption, so they cannot satisfy the encryption performance requirement.

DIPsec

IPsec performs Layer 3 encryption that is often software-assisted or uses general-purpose processors, introducing per-packet overhead that disproportionately impacts small packets and causes performance to vary significantly with packet size.

Concept tested: MACsec hardware-based Layer 2 encryption and antispoofing

Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/macsec/configuration/xe-17/macsec-xe-17-book/macsec-overview.html

Topics

#MACsec#anti-spoofing#Layer 2 security#encryption performance

Community Discussion

No community discussion yet for this question.

Full 400-007 Practice