The correct answer is A. Switch(config)# ip dhcp snooping because the question asks for the global setting that must be enabled first, before applying more specific (granular) DHCP Snooping controls. In Cisco switching, DHCP Snooping is the primary Layer 2 security feature used to mitigate rogue DHCP server attacks. Once enabled, the switch can distinguish between trusted ports (where legitimate DHCP server responses are allowed, typically uplinks toward the authorized DHCP server) and untrusted ports (typically access ports to end-user devices), where DHCP server responses (DHCPOFFER/DHCPACK) are filtered to prevent a rogue server from handing out malicious network configuration (gateway/DNS) to clients.
The scenario’s defense goal—“reject DHCP responses from untrusted ports”—is exactly what DHCP Snooping enforces after it is enabled and ports are assigned trust states. Conceptually, the workflow is:
Enable DHCP Snooping globally (feature activation),
Enable it for the relevant VLAN(s), and
Mark the legitimate DHCP-facing interface(s) as trusted so only those ports can send DHCP server responses.
Options C and D are part of the later, granular steps:
C enables DHCP snooping for a specific VLAN, which is necessary but is not the global prerequisite the question highlights.
D is applied under an interface to designate a port as trusted; again, this is granular and only meaningful after DHCP snooping is activated.
Option B is a different feature (Dynamic ARP Inspection) and is used to mitigate ARP spoofing/poisoning rather than rogue DHCP.
Therefore, the global command Jason should recommend first is Switch(config)# ip dhcp snooping.
