Home > Port Security

Port Security

November 16th, 2019 Go to comments

Question 1

Explanation

The “sticky” keyword in switchport port-security mac-address sticky command converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds to the running configuration.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swtrafc.html)

Question 2

Explanation

Port security can be enabled on both access and static trunk ports. An example of configuring port security on a static trunk port is shown below:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport port-security

For more information about configuring port-security on trunk port please visit this link: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25sg/configuration/guide/conf/port_sec.pdf

We cannot configure port security on a dynamic interface. For example we will see an error when try it:

Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport
Switch(config-if)# switchport mode dynamic desirable
Switch(config-if)# switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

Question 3

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state. The “errdisable recovery cause psecure-violation” command brings a secure port out of error-disabled state.

Note: There is a similar command: “errdisable recovery cause security-violation” but it recovers a port from 802.1x violation disable state.

Question 4

Explanation

When a port security violation is detected, the switch automatically places the port in the “err-disabled” shutdown state.

Question 5

Explanation

If any one of the errdisable recovery conditions is enabled, the ports with this condition are reenabled after 300 seconds. You can also change this default of 300 seconds if you issue this command:

Switch(config)#errdisable recovery interval timer_interval_in_seconds

Question 6

Explanation

A sticky MAC address can be learned automatically or configured manually. When it is dynamically learned, the MAC address is automatically entered into the running configuration as a static MAC address; the address is then kept in the running configuration until a reboot. On reboot, the MAC address will be lost; if we want to keep the MAC address after a reboot, we need to save the running config (with the command copy running-config startup-config)

To turn on sticky feature on a switch, use the switchport port-security mac-address sticky command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky MAC addresses.

Question 7

Question 8

Question 9

Question 10

Comments
  1. od
    February 3rd, 2020

    who has the latest dump

  2. Anonymous
    February 12th, 2020

    Was able to pass;
    Few questions new: what steps to take if you want to configure port security on a port: chose – access port; make sure it’s not span destination;
    How to see vlan database: choose 2 – Sh vlan/sh vlan database/sh run/etc forgot
    Vspan question – what traffic it allows I think
    Hsrp hotspot/vtp lacp sim/new switch addition vtp sim
    Drag – tacacs radius/stp modes

  1. No trackbacks yet.