Port Security Questions 2
Here you will find answers to Port Security Questions – Part 2
Question 1
Refer to the exhibit. Based on the running configuration that is shown for interface FastEthemet0/2, what two conclusions can be deduced? (Choose two)
| ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 6 switchport port-security aging time 5 switchport port-security aging static switchport port-security mac-address sticky switchport port-security mac-address 0000.0000.000b switchport port-security mac-address sticky 0000.0000.4141 switchport port-security mac-address sticky 0000.0000.5050 no ip address |
A. Connecting a host with MAC address 0000.0000.4147 will move interface FastEthemet0/2 into error disabled state.
B. The host with address 0000.0000.4141 is removed from the secure address list after 5 seconds of inactivity.
C. The sticky secure MAC addresses are treated as static secure MAC addresses after the running configuration is saved to the startup configuration and the switch is restarted.
D. Interface FastEthemet0/2 is a voice VLAN port.
E. The host with address 0000.0000.000b is removed from the secure address list after 300 seconds.
Answer: C E
Explanation
In this case the “switchport port-security aging time 5″ sets aging time to 5 minutes and the “switchport port-security aging static” tells the switch to age out for statically configured MAC addresses -> the MAC 0000.0000.000b will be aged out after 5 minutes (300 seconds).
Note: Cisco switch does not support port security aging of sticky secure MAC addresses -> the sticky secure MAC addresses are not aged out.
Question 2
Refer to the exhibit. What will happen when one more user is connected to interface FastEthernet 5/1?
A. The first address learned on the port will be removed from the secure address list and be replaced with the new address.
B. All secure addresses will age out and be removed from the secure address list. This will cause the security violation counter to increment.
C. The packets with the new source addresses will be dropped until a sufficient number of secure MAC addresses are removed from the secure address list.
D. The interface will be placed into the error-disabled state immediately, and an SNMP trap notification will be sent.
Answer: D
Explanation
There are three violation mode of port security:
+ Protect: drop packets (port is not shutdown)
+ Restrict: drop packets and increase violation counter, send SNMP trap notification (port is not shutdown)
+ Shutdown (default mode): put port into error-distabled state (same as shutdown state), send SNMP trap notification
Question 3
When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum number of secure MAC addresses that should be set on the port?
A. No more than one secure MAC address should be set.
B. The default will be set.
C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port.
D. No value is needed if the switchport priority extend command is configured.
E. No more than two secure MAC addresses should be set.
Answer: E
Explanation
Usually, an IP Phone needs two MAC addresses, one for the voice vlan and one for the access vlan. If you don’t want other devices to access this port then you should not set more than two secure MAC addresses.
Below is an example for this configuration:
|
Switch(config)# interface fa0/1 |
(For more information about this, please read http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/port_sec.html)
Question 4
Refer to the exhibit. What type of attack would be mitigated by this configuration?
A. ARP spoofing
B. MAC spoofing
C. VLAN hopping
D. CDP manipulation
E. MAC flood attack
F. spanning tree compromises
Answer: E
Explanation
The maximum number of hosts allowed is 5 so an attacker can not flood the switch with many source MAC addresses -> This configuration is effective against MAC flooding attack.
Question 5
Refer to the exhibit. Port security has been configured on port Fa0/5. What would happen if another device is connected to the Fa0/5 port after the maximum number of devices has been reached, even if one or more of the original MAC addresses are inactive?
A. The port will permit the new MAC address because one or more of the original MAC addresses are inactive.
B. The port will permit the new MAC address because one or more of the original MAC addresses will age out.
C. Because the new MAC address is not configured on the port, the port will not permit the new MAC address.
D. Although one or more of the original MAC addresses are inactive, the port will not permit the new MAC address.
Answer: D
Explanation
The port-security aging time is set to 0 so it is disabled for this port -> even if the original MAC addresses are inactive, the port will not permit the new MAC address.
dear admin Q.2 image is not visible!
@ certprepare:
The answer C) for Q#1 sounds a bit weird and in the current form I’m not sure it holds true.
I’ve tested it in Packet Tracer (I don’t have access to the lab right now) and after saving the running-config and a restart the sticky addresses (both configured manually and learned dynamically) are displayed still as “Secure Sticky” in the output of the “show port-security address” command, as opposed to one which I configured with the “switchport port-security mac-address xxxx.xxxx.xxxx” command and which was displayed as “Secure Configured”.
Therefore, I don’t know what the author was thinking about when he wrote “are treated as secure static MAC addresses” but as far as static aging goes, that doesn’t seem to be true.
Q#2 doesn’t have a visible image for the exhibit; you might want to change that.
Cheers.
Q4: there should be 2 right answers. I guess no one can disagree that set port as access will prevent VLAN hopping.
John
Q#3 has B as correct answer in 145Dump
Which one is correct
For Q4, I think the whole configuration is just for a SINGLE mitigating purpose, so the best answer I believe should be E. If we could choose 2 answers, C and E.
Question # 2 image is not visible. please update it. thanks
You know how the test is: there right answers and CISCO answers.
Make no sense sometimes, just get certified!
@Rollodus
I agree fully with you !
@KB
Question #3. is not E
when you enable the voice vlan it does not alter the default Max MAC. the default is 2. so correct answer should be B.
@DEz
This is the default configuration:
#sho port-security int fa0/44
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
The default is 1 Max MAC address, therefore you need to change it to at least 2 if you enable port security. B is incorrect.
When you look at question 3, none of the answers actually answer the question correctly. However, if you just determine which answers are false, B is correct. I really do not like this question.
Q3
When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum number of secure MAC addresses that should be set on the port?
ANSWER –> There is no maximum that ‘should’ be set, but the minimum should be two.
ANSWERS THEY GIVE
A. No more than one secure MAC address should be set. –> FALSE (you need at least two)
B. The default will be set. –> TRUE (defaults to one)
C. The IP phone should use a dedicated port, therefore only one MAC address is needed per port. –> FALSE (IP Phone is treated like a switch with a trunk)
D. No value is needed if the switchport priority extend command is configured. –> FALSE (don’t know where this command came from)
E. No more than two secure MAC addresses should be set. –> FALSE (This depends on your network requirements)
Ty Bryan for make me clear Q3
bryan your wrong E is correct !!!!
Regarding Q#3 “When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.”
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_14_ea1/configuration/guide/swvoip.html#wp1030825
So, E is correct ? … I mean, how can be B correct ?
When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to two plus the maximum number of secure
addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP
phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and
might also be learned on the access VLAN. Connecting a PC to the IP phone requires additional
MAC addresses.
for question 3 , consult the cisco documentation that says :
Voice Port Security Guidelines and Restrictions
Port security as implemented on voice ports behaves the same as port security on access ports:
•You can configure sticky port security on voice ports. If sticky port security is enabled on a voice port, addresses secured on data and voice VLANs are secured as sticky addresses.
•You can configure maximum secure addresses per VLAN. You can set a maximum for either the data VLAN or the voice VLAN. You can also set a maximum per-port, just as with access ports.
•You can configure port security MAC addresses on a per-VLAN basis on either the data or voice VLANs.
•Prior to Cisco IOS Release 12.2(31)SG, you required three MAC addresses as the maximum parameter to support an IP Phone and a PC. With Cisco IOS Release 12.2(31)SG and later releases, the maximum parameter must be configured to two, one for the phone and one for the PC.
so you can tick the answer E with confidence
thanks
Q3 :
the gd answer is two address : When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2940/software/release/12.1_19_ea1/configuration/guide/swvoip.html
So, regarding Q3 which one is the correct answer for the test?
B or E ?
Q3, the question is:
…that should be set on the port?
I would say, that there should be two MAC-Addresses configured.
I would prefer answer E.
But what would Cisco prefer in the exam?
Sorry, I think Bryan told us the correct answer:
Q3
When you enable port security on an interface that is also configured with a voice VLAN, what is the maximum number of secure MAC addresses that should be set on the port?
ANSWER –> There is no maximum that ‘should’ be set, but the minimum should be two.
Looks like a “Cisco-tricky-question”. ;-)
Did someone get this Q3 on exam ? What is the final answer ? … stupid Q …
Q1: I agree with AdyM.
after ‘wr’ and reboot the switch I still see:
!
interface GigabitEthernet0/5
switchport mode access
switchport port-security maximum 6
switchport port-security
switchport port-security aging time 1
switchport port-security mac-address sticky
switchport port-security aging static
switchport port-security mac-address sticky 0000.0000.4141
switchport port-security mac-address sticky 0000.0000.5050
switchport port-security mac-address sticky 68bd.ab12.d505
end
S2_PAN#sh port-security interface gigabitEthernet 0/5 address
Secure Mac Address Table
————————————————————————
Vlan Mac Address Type Ports Remaining Age
(mins)
—- ———– —- —– ————-
1 0000.0000.4141 SecureSticky Gi0/5 -
1 0000.0000.5050 SecureSticky Gi0/5 -
1 68bd.ab12.d505 SecureSticky Gi0/5 -
————————————————————————
Total Addresses: 3
So in my opinion the ‘C’ answer isn’t correct. The Sticky are still Sticky, after ‘wr’ and reboot the switch nothing was changed.
q1 — I dont understand why you would want to age out a statically configured mac address — If it is configured statically — then I feel that you want to keep that address in the mac table — if you dont want to age out set aging time to zero?– then that address stays in the mac address table
Geedub.
I Agree with you… but its a feature.
You can see it in FLG page 345.
Nothing from this section was in test today.
These notes apply to Cisco IOS configuration:
This is straight from cisco documentation… It does not say that no more than two should be set…it says 2 plus the number allowed on the access vlan..
•When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The address of the IP phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_14_ea1/release/notes/ol395001.html
Q3
These notes apply to Cisco IOS configuration:
This is straight from cisco documentation… It does not say that no more than two should be set…it says 2 plus the number allowed on the access vlan..
•When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to 2 plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP phone requires up to two MAC addresses. The address of the IP phone is learned on the voice VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_14_ea1/release/notes/ol395001.html