Which countermeasures can mitigate ARP spoofing attacks?

Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)

Which countermeasures can mitigate ARP spoofing attacks? (Choose two.)

A.
Port security

B.
DHCP snooping

C.
IP source guard

D.
Dynamic ARP inspection

Show Hint

Leave a Reply 4

Your email address will not be published. Required fields are marked *

megatron

megatron

Disagree. A & D

DHCP Snooping does nothing for ARP Spoofing (only if used in combination with IP sourceguard does it actually prevent any kind of spoofing).

Port security can be used to restrict to a single MAC, so if spoofed would errdisable the port as it’s over the limit.

Reply

beetleman

beetleman

B and D are correct. DARPI uses DHCP snooping’s database.

Port security has no features to mitigate ARP spoofing. Try to find anything about Port security on this page about ARP poisoning: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html

You won’t.

However this:
“Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.”

Which can be found here:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

Reply

Amergin

Amergin

^^ . This is clearly correct. Based from the whitepaper on ARP poisoning linked above:

“Note that configuring DHCP Snooping is a prerequisite to configure Dynamic ARP Inspection (DAI).”

Reply

Oleg

Oleg

Static assignment of allowed mac addresses on the port can definitely mitigate arp spoofing. Agree with megatron. Anyway the question is tricky

Reply