Which two actions help protect access-layer switch ports from rogue DHCP servers?
That turns on the feature and applies it to selected VLANs.
Why this answer
DHCP snooping marks trusted and untrusted interfaces and filters server-type DHCP messages on untrusted ports. Uplink ports toward the real DHCP server or relay are typically trusted, while user-facing ports stay untrusted. Option C is incorrect because PortFast does not filter DHCP messages; it only speeds up spanning tree convergence.
Option D is incorrect because disabling ARP breaks normal communication and does not block DHCP. Option E is incorrect because marking all access ports as trusted would permit rogue DHCP servers on those ports.
Exam trap
Do not confuse port security with DHCP snooping; they address different security concerns.
Why the other options are wrong
PortFast is used to speed up the transition of a port to forwarding state in spanning tree, typically for end-user devices. It does not filter DHCP messages or prevent rogue DHCP servers; DHCP snooping is the correct mechanism.
ARP is essential for IP communication and disabling it would break network connectivity. DHCP snooping does not involve ARP; it operates at the DHCP protocol level to validate messages.
Setting every access port as trusted would allow any device connected to those ports to act as a DHCP server, defeating the purpose of DHCP snooping. Only ports connected to legitimate DHCP servers should be trusted.