Question 1,003 of 1,819
Network Infrastructure and ConnectivitymediumMatchingObjective-mapped

Quick Answer

The correct match pairs each security feature with its main purpose: Access Control Lists permit or deny traffic based on IP and port, DHCP Snooping identifies trusted ports and builds a binding table to block rogue DHCP servers, Dynamic ARP Inspection (DAI) uses that binding table to validate ARP packets and prevent ARP spoofing, and Port Security restricts MAC addresses learned on a switch port to mitigate MAC flooding. These features are correct because they each enforce a specific layer of defense—ACLs filter at Layer 3/4, DHCP Snooping secures Layer 2 addressing, DAI validates Layer 2-to-Layer 3 mappings, and Port Security controls physical access. On the CCNA 200-301 v2 exam, this topic appears in the Network Access section, often as a drag-and-drop or multiple-choice question testing your ability to distinguish between these overlapping security tools. A common trap is confusing DAI with DHCP Snooping, but remember DAI depends on the DHCP Snooping binding table to work. Memory tip: "ACLs filter, DHCP blocks, DAI validates, Port Security locks."

CCNA Network Infrastructure and Connectivity Practice Question

This 200-301 practice question tests your understanding of network infrastructure and connectivity. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. A key principle to apply: aCLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Match the security feature to its main purpose.

Question 1mediummatching
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Firewall: Filters traffic based on security rules

ACLs are correct because they use permit and deny statements to filter traffic based on source/destination IP, protocol, or port. DHCP Snooping is correct because it identifies trusted ports and builds a DHCP binding table to block rogue DHCP servers and prevent spoofed DHCP messages. DAI is correct because it leverages the DHCP Snooping binding table to validate ARP packets, dropping those that do not match trusted bindings and thus preventing ARP spoofing attacks. Port Security is correct because it restricts the number and specific MAC addresses learned on a switch port, mitigating MAC flooding and unauthorized device access.

Key principle: ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Firewall: Filters traffic based on security rules

    Why this is correct

    Firewalls inspect packets and apply rules to permit or deny traffic, forming the first line of defense in network security.

    Related concept

    ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

  • Intrusion Prevention System: Detects and blocks malicious activity

    Why this is correct

    Firewalls do not encrypt data; encryption is performed by VPNs or encryption protocols like IPsec.

    Related concept

    ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

  • VPN: Encrypts data between remote sites

    Why this is correct

    Endpoint malware detection is the role of antivirus software, not a firewall.

    Related concept

    ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

  • Access Control List: Permits or denies traffic based on IP/port

    Why this is correct

    Centralized log analysis is the function of a SIEM system, not a firewall.

    Related concept

    ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Avoid confusing the general term 'security' with specific functions. Firewalls filter traffic; they do not encrypt, detect endpoint malware, or provide centralized log analysis. Each security tool has a defined purpose.

Detailed technical explanation

How to think about this question

Access Control Lists (ACLs) are fundamental Cisco security tools that filter network traffic by permitting or denying packets based on defined criteria such as source/destination IP addresses, protocols, or ports. ACLs operate at Layer 3 and Layer 4 to enforce security policies and control access to network resources. They are widely used to restrict unauthorized traffic but do not inherently protect against DHCP or ARP spoofing attacks. DHCP Snooping is a Layer 2 security feature that prevents rogue DHCP servers from distributing invalid IP addresses. It works by filtering DHCP messages and building a DHCP binding table that records legitimate IP-to-MAC address mappings. This binding table is critical because other features, like Dynamic ARP Inspection (DAI), rely on it to validate ARP packets. DAI intercepts ARP requests and replies, comparing them against the DHCP Snooping binding table to prevent ARP spoofing and man-in-the-middle attacks. Port Security is another Layer 2 feature that limits the number of MAC addresses allowed on a switch port. It helps prevent unauthorized devices from connecting to the network by restricting port access based on MAC addresses. Unlike DHCP Snooping and DAI, Port Security does not validate DHCP or ARP traffic but focuses on controlling physical access to the network. Understanding these distinct roles is essential for correctly matching security features to their purposes in Cisco network environments.

KKey Concepts to Remember

  • ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.
  • DHCP Snooping protects the network from unauthorized DHCP servers by filtering DHCP messages and creating a binding table of legitimate IP-to-MAC mappings.
  • Dynamic ARP Inspection uses the DHCP Snooping binding table to validate ARP packets and prevent ARP spoofing attacks on the network.
  • Port Security limits the number of MAC addresses allowed on a switch port to prevent unauthorized device connections.
  • ACLs do not protect against DHCP or ARP spoofing; their primary role is traffic filtering based on IP and protocol rules.
  • DHCP Snooping and DAI work together to secure Layer 2 address resolution processes by validating DHCP and ARP traffic respectively.
  • Port Security enforces physical access control on switch ports but does not inspect or filter DHCP or ARP packets.
  • Correctly matching Cisco security features requires understanding their specific functions within Layer 2 and Layer 3 security contexts.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Review aCLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria., then practise related 200-301 questions on the same topic to reinforce the concept.

Related practice questions

Related 200-301 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-301 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-301 question test?

Network Infrastructure and Connectivity — This question tests Network Infrastructure and Connectivity — ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria..

What is the correct answer to this question?

The correct answer is: Firewall: Filters traffic based on security rules — ACLs are correct because they use permit and deny statements to filter traffic based on source/destination IP, protocol, or port. DHCP Snooping is correct because it identifies trusted ports and builds a DHCP binding table to block rogue DHCP servers and prevent spoofed DHCP messages. DAI is correct because it leverages the DHCP Snooping binding table to validate ARP packets, dropping those that do not match trusted bindings and thus preventing ARP spoofing attacks. Port Security is correct because it restricts the number and specific MAC addresses learned on a switch port, mitigating MAC flooding and unauthorized device access.

What should I do if I get this 200-301 question wrong?

Review aCLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria., then practise related 200-301 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

ACLs control network traffic by matching defined rules and either permitting or denying packets based on Layer 3 and Layer 4 criteria.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Apr 12, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-301 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-301 exam.