Which statement correctly describes how port security relates to ARP spoofing and MAC flooding?

• A. Port security completely prevents ARP spoofing on a switch.
• B. ARP spoofing is mitigated by only using static ARP entries.
• C. Port security limits allowed MAC addresses on a port and MAC flooding; ARP spoofing mitigation may involve DHCP snooping or dynamic ARP inspection.
• D. ARP spoofing has no relation to MAC flooding or port security.

Answer: (C)

Port security on a switch port controls which MAC addresses can send frames on that port and how many can be learned. By limiting the number and set of allowed MAC addresses, it directly counters MAC flooding, where an attacker tries to fill the switch’s CAM table with many fake MACs to degrade switching performance or cause a port to shut down.

ARP spoofing, on the other hand, poisons the ARP table to misroute traffic. Port security doesn’t validate ARP packets itself, so it isn’t a complete defense against ARP spoofing. Mitigation for ARP spoofing comes from other features such as DHCP snooping, which builds a trusted IP-to-MAC mapping from DHCP, and Dynamic ARP Inspection, which checks ARP packets against that mapping and can drop spoofed ARP replies.

So the best approach is to combine port security (to prevent MAC flooding) with DHCP snooping or DAI (to defend against ARP spoofing). Static ARP entries can help in limited scenarios but aren’t scalable, and ARP spoofing isn’t something port security alone can fully stop.