Which option is an effective method to prevent ARP poisoning attacks?

ARP poisoning relies on changing the IP-to-MAC mappings in a device’s ARP cache with spoofed information. Static ARP entries lock those mappings in place, so the device will not accept or overwrite them in response to ARP messages from other hosts. That prevents an attacker from redirecting traffic by associating a legitimate IP (like the gateway) with the attacker’s MAC address. It’s especially effective for critical hosts or gateways that must not be redirected. The trade-off is manual maintenance and lack of scalability—keeping static entries updated across many devices can be impractical. Other options don’t address the vulnerability as directly: dynamic ARP responses can be spoofed, disabling ARP breaks connectivity, and encrypting wireless doesn’t stop ARP spoofing in the local broadcast domain.