Exam 200-301 topic 1 question 640 discussion

I was thinking static ARP entries would also prevent ports from being exploited but I guess the other two are actually better choices.

checked and it is correct answers DE

B and E are the best options. D is secure but unrealistic. It's not that you want it and you can have it. Port-based authentication means implementing 802.1x using a RADIUS or TACACS server. It really depends on your existing infrastructure and budget. Applying 802.1x for every endpoint in an organisation requires enormous work, and reduces flexibility in everyday operation. If a network already has port-based authentication, very good, keep using it. If it doesn't have yet, no need to force yourself use it. You would need to set up an AAA server, install certificates on endpoints, configure the switch, and every time when a device is moved or changed you have to reconfigure it. B can effectively stop most unauthorised devices connecting to the network. E cuts off the connectivity from the root. These are feasible methods in real work.

D & E are correct

Port-based authentication = 802.1x (RADIUS/TACACS+) - IEEE 802.1X port-based authentication is configured on a device to prevent unauthorized devices (supplicants) from gaining access to the network. The device can combine the function of a router, switch, and access point, depending on the fixed configuration or installed modules. The switch functions are provided by either built-in switch ports or a plug-in module with switch ports. This feature supports both access ports and trunk ports. LINK: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html

This might help: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/xe-3se/3850/sec-user-8021x-xe-3se-3850-book/config-ieee-802x-pba.html