CCNA: Cisco Certified Network Associate — Question 928

A network administrator is evaluating network security in the aftermath of an attempted ARP spoofing attack. If Port-channel1 is the uplink interface of the access-layer switch toward the distribution-layer switch, which two configurations must the administrator configure on the access-layer switch to provide adequate protection? (Choose two.)

Answer options

• A. ip dhcp snooping vlan 1-4094 ! interface Port-channel1 switchport protected switchport port-security maximum 1
• B. ip dhcp snooping vlan 1-4094 ip dhcp snooping ! interface Port-channel1 ip dhcp snooping trust
• C. ip dhcp snooping ! interface Port-channel1 switchport port-security maximum 1 switchport port-security
• D. ip arp inspection trust ! interface Port-channel1 switchport port-security maximum 4094 switchport port-security ip verify source mac-check
• E. ip arp inspection vlan 1-4094 ! interface Port-channel1 ip arp inspection trust

Correct answer: B, E

Explanation

The correct answer includes B and E because enabling DHCP snooping and marking the interface as trusted helps prevent unauthorized DHCP servers and ARP spoofing. The other options either lack necessary configurations for DHCP snooping or ARP inspection, or do not effectively secure the uplink interface.