Which method helps protect against ARP spoofing as described in the material?

The idea is to control what a device can send on each switch port so a attacker can’t impersonate others at layer 2. ARP spoofing relies on an attacker sending forged ARP frames that associate their MAC with another IP, poisoning others’ ARP caches. With CAM-based port security on a hardware switch, you bind specific MAC addresses to each port (static or sticky), and the switch enforces that only those MACs can use the port. If a different MAC tries to send frames on that port, the switch detects the violation and can drop the frames or shut the port down. That prevents the attacker from injecting spoofed ARP replies or hijacking traffic on that link, keeping host-to-host mappings trustworthy. In contrast, turning ARP off isn’t practical, static DNS doesn’t address ARP at all, and antivirus doesn’t stop layer-2 spoofing.