Which of the following best describes a common mitigation for ARP poisoning?

ARP poisoning happens when an attacker sends spoofed ARP messages to associate their MAC address with a legitimate IP, tricking devices on the local network into sending traffic to the attacker instead of the rightful host. A common and effective mitigation combines Dynamic ARP Inspection, static ARP entries, and VLAN segmentation. Dynamic ARP Inspection checks ARP packets against a trusted binding database and can drop forged replies, making it harder for spoofed mappings to take hold. Static ARP entries fix specific IP-to-MAC mappings on devices, so they won’t accept unsolicited updates that could be caused by an attacker. VLAN segmentation restricts ARP broadcasts to smaller network segments, limiting the reach of spoofing attempts and reducing risk. Blocking all ARP traffic would break normal network operation, relying solely on endpoint credentials doesn’t address layer-2 spoofing, and disabling switches would disable network connectivity.