Practice Q's - Port Security

Question 1

You are the network administrator in your company. You have executed the following commands on the Fa0/1 interface of a switch named swtA:

Over a period of time, different hosts are connected to the Fa0/1 switch port of swtA. The MAC addresses of the hosts that were connected to the Fa0/1 port and the order in which they connected are as follows:

After a few days, you notice that the Fa0/1 port is in the shutdown state. Which of the following MAC addresses causes the Fa0/1 port to shut down?

A. 2222.2222.2222

B. 3333.3333.3333

C. 4444.4444.4444

D. 5555.5555.5555

Answer 1

Answer: D

Explanation:

The MAC address 5555.5555.5555 caused the Fa0/1 port to shut down because it violates the port security enabled on the port. The switchport port-security maximum 4 command allows at most four MAC addresses or hosts to be connected to the Fa0/1 switch port. Two secure MAC addresses, 1111.1111.1111 and 3333.3333.3333, are statically configured on the Fa0/1 port by using the switchport port-security mac-address command. This implies that these two MAC addresses are allowed to be connected to the Fa0/1 port.

The switchport port-security mac-address sticky command enables sticky learning of MAC addresses on the Fa0/1 port. With sticky learning, the dynamically learned MAC addresses are stuckto the port. The first MAC address that is connected to the port becomes the sticky secure address. In this case, 1111.1111.1111 and 3333.3333.3333 MAC addresses are statically configured as secure addresses. This implies that there can be at most two sticky secure MAC addresses for Fa0/1.

Question 2

As the network administrator, you have enabled port security on the Fa0/1 port of a switch. Fa0/1 is not a trunk port. You have configured the port security so that the MAC addresses 1111.1111.1111 and 2222.2222.2222 are allowed to connect to the switch port.

Which of the following commands were required to configure the port security so that only the MAC addresses 1111.1111.1111 and 2222.2222.2222 are allowed to connect to the switch port.? (Choose all that apply.)

A. switchport mode trunk

B. switchport port-security

C. switchport mode access

D. switchport port-security maximum 2

E. switchport port-security maximum 3

Answer 2

Answer: B,C,D Explanation:

The following commands were executed on the switch port:

• switchport mode access switchport port-security
• switchport port-security maximum 2

The switchport mode access command configures the switch port as an access port. The switchport port-security command enables port security on the switch port. The switchport port- security maximum 2 command specifies that at most two MAC addresses can be connected to the switch port.

The complete set of commands that were executed on the Fa0/1 of the switch port is as follows: (see attached)

It is not required that the switchport port-security aging be executed. This can be used to specify the duration for which all addreses are secured.

The switchport port-security maximum 3 command was not execute on the switch port. This command specifies that three MAC addresses can be allowed on that switch port, instead of only two secure MAC addresses.

Question 3

What is accomplished by the command switchport port-security violation protect?

A. The switch will generate a log message but will not block any packets

B. The switch will drop packets that are in violation and generate a log message

C. The switch will drop packets that are in violation, but not generate a log message

D. The switch will shut down the interface when packets in violation are detected

Answer 3

Answer: C

Explanation:

The command switchport port-security port violation protect will cause the switch to drop packets that are in violation, but does not generate a log message. The complete syntax of the command is:

• switch(config-if)# switchport port-security violation protect

The port-security command is used to lock a port to a specific MAC addresses. Port security can be used to limit access to a port by MACaddress. It can be applied to:

It cannot be applied to trunk ports or to ports that are part of an Etherchannel.

Three keywords can be used with this command: protect, restrict and shutdown. The restrict keyword tells the port to drop packets and generate a log message for packets that are in violation. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The shutdown keyword causes the port to be place into the errdisable state if a violation is detected.

The following configuration, generated from a partial output of the show run command, would apply port security to the Fa0/1 interface. It would allow five addresses to access the interface at time. This count includes addresses that have been seen by the port but are currently inactive. Therefore, if five addresses have been seen and three are inactive, then a sixth address would not be allowed. If the port security maximum command has not been issued, the default behavior will only allow one address on the port.

The aging command can be used to force inactive addresses to be dropped from the list of addresses seen, thereby allowing active addresses access to the port.

The above configuration also includes a static entry for the MAC address 0006.0006.0006. This means that this address is always in the list, and so in effect, this configuration leaves only four other dynamic MAC addresses that can connect at a time.

There is no option to generate a log message but not block any packets.

Question 4

QUESTION NO: 135 PORT SECURITY

What command produced the output in the exhibit?

A. show port-security interface

B. show vlan private-vlan type

C. show port-security

D. show ip dhcp snooping

Answer 4

Answer: C Explanation:

The exhibit displays the output of the show port-security command. This command is useful in verifying the reaction set for packets in violation. In the exhibit, Fa5/1 is configured to shut down if a violating packet is received. Port Fa5/5 is configured to drop violating packets, and port Fa5/11 is configured to drop packets and generate a log message.

The output also indicates the number of secure MAC addresses permitted on each interface, the number of secure MAC addresses currently in use on the port, and how many security violations have already occurred.

The show port-security interface command shows the port security configuration on the specified interface. Below is an example of that command output:

In the above example, seven MAC addresses are allowed on this interface. It can be seen that seven are now connected. Therefore, if one more user connects to the hub or switch that is connected to this port, the port will be placed into the err-disabled state and an SMTP trap message will be sent.

The show vlan private-vlan type command displays the private VLANs on the switch and whether they are primary, isolated, or community VLANs. An example of the command output is below:

In the output, VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 303 carries traffic from isolated ports to a promiscuous port.

The show ip dhcp snooping command displays whether DHCP snooping is enabled, what VLANs it is configured for, and what ports are trusted DHCP ports. An example output is below.

Question 5

What is accomplished by the command switchport port-security violation restrict?

A. The switch will generate a log message but will not block any packets.

B. The switch will drop packets that are in violation and generate a log message.

C. The switch will drop packets that are in violation, but not generate a log message.

D. The switch will shut down the interface when packets in violation are detected.

Answer 5

Answer: B

Explanation:

The command switchport port-security violation restrict drops packets that are in violation and generates a log message. The complete syntax of the command is:

• switch(config-if)# switchport port-security violation restrict

The port security command is used to lock a port down to specific MAC addresses. The three keywords that can be used with this command are protect, restrict, and shutdown. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The restrict keyword tells the port to drop packets and generates a log message for packets that are in violation. The shutdown keyword causes the port to be disabled if a violation is detected.

There is no option to generate a log message but not block any packets.

Question 6

What command produces the output in the exhibit?

A. show port-security interface

B. show vlan private-vlan type

C. show port-security

D. show ip dhcp snooping

Answer 6

Answer: C

Explanation:

The exhibit displays the output of the show port-security command. This command is useful in verifying the reaction set for packets in violation. In the exhibit, Fa5/1 is configured to shut down if a violating packet is received. Port Fa5/5 is configured to drop violating packets and port Fa5/11 is configured to drop packets and generate a log message.

The output also indicates the number of secure MAC addresses permitted on each interface, the number of secure MAC addresses currently in use on the port, and how many security violations there have been.

The show port-security interface command shows the port security configuration on the specified interface. Below is an example of the command and its output:

In the example, seven MAC addresses are allowed on this interface. It can be seen that seven are now connected. Therefore, if one more user connects to the hub or switch connected to this port, the port will be placed into the err-disabled state and an SMTP trap message will be sent.

The show vlan private-vlan type command displays the private VLANs on the switch and indicates whether they are primary, isolated, or community VLANs. An example of the output is below:

In the output, VLAN 202 carries traffic from promiscuous ports to isolated, community, and other promiscuous ports in the same VLAN. VLAN 303 carries traffic from isolated ports to a promiscuous port.

The show ip dhcp snooping command displays whether DHCP snooping is enabled, what VLANs it is configured for, and what ports are trusted DHCP ports. An example of the output is below:

Question 7

Which two actions are possible when you are configuring port-security?

1. Port will be error disabled
2. Port will be shutdown
3. Port will drop traffic
4. Port will send logs
5. ??

Answer 7

Correct Answer: AD

Question 8

A question about how port security can be configured in?

1. static trunk port
2. dynamic trunk port
3. dynamic access port
4. ???

Answer 8

Correct Answer: A

Question 9

Which two statements about recovering error-disabled interface are true? (Choose two.)

1. Reloading the switch recovers it from the error-disabled state.
2. If errdisable recovery is configured, the interface is recovered automatically when the root problem is corrected.
3. Removing and reinserting network media recovers an interface from the error-disabled state.
4. errdisable recovery is enabled by default and operates normally without additional configuration.
5. The show errdisable recovery command displays the conditions for which autorecovery is enabled.

Answer 9

Correct Answer: BE

Question 10

Which two configuration requirements for port security are true? (Choose two.)

1. The port must be part of a trunk.
2. Port security must be enable at the port level.
3. Port security must be enabled at the global level.
4. The port must be SPAN port.
5. The port must be part of an EtherChannel bundle.
6. The port must be in access mode.

Answer 10

Correct Answer: BF

Question 11

Which command enables you to determine whether any interface on a device was shutdown as a result of a port security violation?

1. show port-security
2. show errdisable detect
3. show interface err-disabled status
4. show port-security address

Answer 11

Correct Answer: A