Question 1hardmultiple choice
Full question →hardmultiple choiceObjective-mapped
A switch has DHCP snooping enabled, but users still experience IP-to-MAC spoofing attacks. Which additional feature should be considered to help address that specific problem?
Answer choices
Why each option matters
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
A
Distractor review
PortFast
PortFast affects STP convergence behavior, not ARP spoofing validation.
B
Best answer
Dynamic ARP Inspection
Correct. DAI directly targets ARP spoofing.
C
Distractor review
EtherChannel
EtherChannel increases logical bandwidth and redundancy, not ARP validation.
D
Distractor review
NetFlow
NetFlow provides traffic visibility, not active prevention of ARP spoofing.
Common exam trap
Common exam trap: answer the scenario, not the keyword
A frequent exam trap is confusing DHCP snooping with complete protection against IP-to-MAC spoofing. While DHCP snooping builds a binding table of legitimate IP-to-MAC pairs, it does not inspect ARP packets themselves. Candidates might incorrectly choose PortFast or EtherChannel, which do not address ARP spoofing. Another trap is assuming NetFlow provides security; it only monitors traffic but does not prevent spoofing. The key mistake is not recognizing that Dynamic ARP Inspection is the feature designed specifically to validate ARP packets against DHCP snooping bindings and block spoofed ARP messages.
Technical deep dive
How to think about this question
Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets on a network to prevent ARP spoofing attacks. ARP spoofing occurs when a malicious device sends falsified ARP messages, associating its MAC address with the IP address of another host, enabling man-in-the-middle attacks or denial of service. DAI intercepts all ARP requests and replies on untrusted ports and compares them against a trusted database of IP-to-MAC bindings, typically learned via DHCP snooping. If the ARP packet does not match the binding, it is dropped, effectively blocking spoofed ARP messages. The decision process for enabling DAI relies on having DHCP snooping enabled first, as DHCP snooping builds and maintains the IP-to-MAC binding table that DAI uses for validation. Without DHCP snooping, DAI cannot verify ARP packets accurately. DAI is configured on switches to inspect ARP traffic on untrusted ports, while trusted ports (such as uplinks to other switches) are exempted. This layered approach ensures that only legitimate ARP traffic is forwarded, preventing IP-to-MAC spoofing attacks that DHCP snooping alone cannot stop. A common exam trap is assuming that DHCP snooping alone prevents all spoofing attacks. DHCP snooping only validates DHCP messages and builds a binding table but does not inspect ARP packets directly. Candidates might incorrectly select PortFast or EtherChannel, which do not provide ARP validation. In practical networks, enabling DAI alongside DHCP snooping is essential to secure Layer 2 against ARP spoofing. Misconfiguring trusted ports or neglecting to enable DAI can leave the network vulnerable despite DHCP snooping being active.
KKey Concepts to Remember
- Dynamic ARP Inspection uses the DHCP snooping binding table to validate ARP packets and prevent IP-to-MAC spoofing attacks on untrusted switch ports.
- DHCP snooping builds and maintains a trusted database of IP-to-MAC bindings by inspecting DHCP messages on the network.
- DAI inspects ARP requests and replies, dropping any packets that do not match the trusted IP-to-MAC bindings learned via DHCP snooping.
- Switch ports configured as trusted bypass DAI inspection, typically uplinks or ports connected to other network infrastructure devices.
- PortFast affects Spanning Tree Protocol convergence and does not provide any ARP spoofing or IP-to-MAC validation.
- EtherChannel aggregates multiple physical links into a single logical link to increase bandwidth and redundancy but does not validate ARP traffic.
- NetFlow provides traffic analysis and monitoring but does not actively prevent ARP spoofing or validate Layer 2 address mappings.
- Enabling DAI without DHCP snooping is ineffective because DAI relies on the binding table created by DHCP snooping to validate ARP packets.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Related practice questions
Related 200-301 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
CCNA subnetting practice questions
Practise IPv4 subnetting, CIDR, masks, host ranges and subnet selection.
CCNA OSPF practice questions
Practise OSPF neighbours, router IDs, metrics, areas and routing-table interpretation.
CCNA VLAN practice questions
Practise VLANs, access ports, trunks, allowed VLANs and switching scenarios.
CCNA STP practice questions
Practise spanning tree, root bridge election, port roles and STP troubleshooting.
CCNA EtherChannel practice questions
Practise LACP, PAgP, port-channel behaviour and bundle requirements.
CCNA ACL practice questions
Practise standard and extended ACLs, permit/deny logic and traffic filtering.
CCNA NAT practice questions
Practise static NAT, dynamic NAT, PAT and inside/outside address translation.
CCNA DHCP practice questions
Practise DHCP scopes, relay, leases and troubleshooting.
CCNA show ip route practice questions
Practise routing-table output, longest-prefix match, AD and route selection.
CCNA show interfaces trunk practice questions
Practise trunk verification and VLAN forwarding across switches.
CCNA wireless security practice questions
Practise WLAN security, authentication and wireless architecture concepts.
CCNA IPv6 practice questions
Practise IPv6 addressing, routes, neighbour discovery and common IPv6 exam traps.
More questions from this exam
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
A router learns the same prefix from both OSPF and EIGRP. Which route is installed by default?
Question 2
A router shows this output: R1#show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.1.1.2 1 FULL/DR 00:00:34 192.168.12.2 GigabitEthernet0/0 10.1.1.3 1 2WAY/DROTHER 00:00:39 192.168.12.3 GigabitEthernet0/0 Which statement is correct?
Question 3
What is the OSPF metric called?
Question 4
A non-root switch has two uplinks toward the root bridge. One path has a lower total STP cost than the other. What role will the lower-cost uplink have?
Question 5
A router interface applies this ACL inbound: 10 deny tcp any any eq 80 20 permit ip any any A user reports that web browsing to a server by IP address fails, but ping works. Which statement best explains the behavior?
Question 6
A router learns route 198.51.100.0/24 from OSPF with AD 110 and also has a static route to the same prefix configured with AD 150. Which route is installed?
FAQ
Questions learners often ask
What does this 200-301 question test?
Dynamic ARP Inspection uses the DHCP snooping binding table to validate ARP packets and prevent IP-to-MAC spoofing attacks on untrusted switch ports.
What is the correct answer to this question?
The correct answer is: Dynamic ARP Inspection — Dynamic ARP Inspection validates ARP packets against trusted binding information, commonly learned through DHCP snooping. That makes it a natural companion control against ARP spoofing attacks.
What should I do if I get this 200-301 question wrong?
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Discussion
Loading comments…
Sign in to join the discussion.