Home > Port Security 2

Port Security 2

August 29th, 2017 in SWITCH 300-115 Go to comments

Question 1

Question 2

Explanation

The new network switch port keeps going back into err-disabled mode so we can deduce port security is still enabled on this port -> A is correct but B is not correct.

In this questions we know that all access ports have port security sticky enabled so port security is still enabled on the older switch port (as we only removed the PC and clear the port security on the new one) -> E is correct (although D is also correct but E is better).

Answer C is not correct as other access ports do not have any effect on these two ports.

Question 3

Explanation

There are three port security violation modes:
+ protect – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
+ restrict – Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
+ shutdown – Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

The default behavior for a security violation is to shut down that port permanently.

(Reference: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html)

Question 4

Explanation

This is the paragraph which describes about the “show errdisable recovery” command on Cisco website:

“If you have enabled errdisable recovery, you can determine the reason for the errdisable status if you issue the “show errdisable recovery” command. An example of the output of this command is shown below:

Switch#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
psecure-violation    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
mac-limit            Enabled
unicast-flood        Enabled
arp-inspection       Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

Interface      Errdisable reason      Time left(sec)
---------    ---------------------    --------------
  Fa2/4                bpduguard          273

Reference: https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html

So answer A seems to be correct but the above quote is very misleading. In fact, this command is used to verify which services/features were enabled for err-disable recovery (notice that the err-disable recovery feature is disabled by default for all services and features and we have to manually turn them on if we want to use via the command “errdisable recovery cause …”). If we allows all above services/features to automatically recover then we will not know the reason a port was error-disabled.

In fact, the best way to determine why a port is in the err-disabled state is to view the Syslog messages. For example:

%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state

This means Fa0/1 is put in err-disabled state because of a port security violation.

Note: The command “show errdisable detect” is used to identify which services are enabled for Errdisable only (for example, services like “arp-inspection”, bpduguard, UDLD,…)

Question 5

Question 6

Explanation

Port Security Guidelines and Restrictions

Follow these guidelines when configuring port security:
+ A secure port cannot be a trunk port.
+ A secure port cannot be a destination port for Switch Port Analyzer (SPAN) -> Answer E is not correct.
+ A secure port cannot belong to an EtherChannel port-channel interface -> Answer C is correct.
+ A secure port and static MAC address configuration are mutually exclusive.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

+ Port security supports private VLAN (PVLAN) ports -> Answer B is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/15-1SY/config_guide/sup2T/15_1_sy_swcg_2T/port_security.pdf

Sticky MAC addresses can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. There is no document mentioning about the maximum of sticky MAC addresses can be configured on a device but surely it can be greater than three -> D is not correct.

We are not sure about answer A but port security does support “static secure MAC addresses” (by using the “switchport port-security mac-address mac_address” interface configuration command).

Question 7

Explanation

A switchport violation occurs in one of two situations:
+ When the maximum number of secure MAC addresses has been reached (by default, the maximum number of secure MAC addresses per switchport is limited to 1)
+ An address learned or configured on one secure interface is seen on another secure interface in the same VLAN

Reference: http://www.ciscopress.com/articles/article.asp?p=1722561

We have to admit that we have never tested the second violation rule stated above ^^.

Question 8

Explanation

You can configure an access port with an attached Cisco IP Phone to use one VLAN for voice traffic and another VLAN for data traffic from a device attached to the phone -> Therefore we can configure two VLANs in total.

Reference: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/swvoip.pdf

Question 9

Question 10

Explanation

When a port security is violated, that port can be put into errdisable state -> B is correct.

When a maximum number of hosts per port was reached, learning a new MAC address can put that port into errdisable state -> D is correct.

Comments
  1. Anonymous
    July 11th, 2017

    are these new questions ?

  2. BoZZ
    September 2nd, 2017

    Q2 – explanation – see second reason.

    A security violation occurs in either of these situations:

    •When the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port security applies the configured violation mode.

    •If traffic with a secure MAC address that is configured or learned on one secure port attempts to access another secure port in the same VLAN, applies the configured violation mode.

  3. Hank
    October 6th, 2017

    To Certprepare:
    the explanation for Q6 is partly correct. Trunk ports CAN do port security. You even state this in Q2 on the first set of Port Security questions on this site. The link you posted is out of date. Cisco has many docs stating it does support trunk port security.

  4. mike_peerawat
    October 17th, 2017

    @kl Can you provide document from IT-Libraries to me mike_peerawat at icloud dot com
    or you just a saleman

  5. Nick
    November 29th, 2017

    DO NOT USE http://www.myexamcollection.com/ ITS A FAKE

  6. ciptech
    December 5th, 2017

    Question 8

    How many VLANs can be assigned to a user access port configured for VoIP?
    A. 1
    B. 2
    C. 3
    D. unlimited

    Answer: B

    “a user access port configured for VoIP” has already a VLAN configure for VoIP, so you can only one more vlan for data. => Answer A. 1 [please correct me if I am wrong]

  7. Anon6
    December 23rd, 2017

    Interesting info from a Cisco document: https://webcache.googleusercontent.com/search?q=cache:Ml3m2-kqiMYJ:https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.pdf+&cd=5&hl=en&ct=clnk&gl=us&client=opera

    • Port security supports private VLAN (PVLAN) ports.
    • Port security supports IEEE 802.1Q tunnel ports.
    • Port security does not support Switch Port Analyzer (SPAN) destination ports.
    • Port security supports access and trunking EtherChannel port-channel interfaces.
    • You can configure port security and 802.1X port-based authentication on the same port.
    • Port security supports nonnegotiating trunks.
    – Port security only supports trunks configured with these commands:
    switchport
    switchport trunk encapsulation
    switchport mode trunk
    switchport nonegotiate
    – If you reconfigure a secure access port as a trunk, port security converts all the sticky and static
    secure addresses on that port that were dynamically learned in the access VLAN to sticky or
    static secure addresses on the native VLAN of the trunk. Port security removes all secure
    addresses on the voice VLAN of the access port.

  8. Andre
    February 28th, 2018

    @Anon6
    Port security DOES not support EtherChannel port-channel interfaces…
    it’s from your link
    from Question 6 only C is true..

  9. Archangel
    March 4th, 2018

    Q6-support
    The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is determined by the active Switch Database Management (SDM) template. See “Configuring SDM Templates.” This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces.

  10. Candidate_of_115
    March 19th, 2018
  11. lalaversa
    May 6th, 2018

    Q6. Fake Q&A.
    Static port MAC address assignments are supported (A is wrong).
    PVLAN ports are supported (B is wrong).
    EtherChanel port-channel…. some cisco doc claims not supported, other claims supported (very uncertain answer based of official cisco documentation, C maybe…).
    Maximum of three sticky MAC addresses is wrong (D is wrong).
    SPAN port are not supported (E is wrong).
    This question is badly documented and it is not possible to give two certain answers.

  12. lalaversa
    May 6th, 2018

    Q10.
    question exposed badly…. in reference to what ? How is the port configured ?
    Impossible found this question on certification test

  13. dumps pro dot com
    May 7th, 2018

    H Guys
    Latest CCNP dumps

    look
    my
    name

  14. Ahmed B.
    May 18th, 2018

    Q9 answer should be D.shutdown

    shutdown violation mode is the only mode that sends snmp traps

  15. 5423423dasd
    May 30th, 2018

    Latest 100% Real CCNP Exam Questions

    dumps
    pro
    dot
    com

  16. Anonymous
    June 5th, 2018

    Q5 is definitely “B. Enable the sticky MAC addresses feature.”

  17. Anonymous
    June 5th, 2018

    “If you don’t want to configure manually every single MAC address of your organization then you can have the switch learn the MAC address dynamically using the “switchport port-security mac-address sticky” command. This command allow switch to learn the first MAC address that comes into on the interface.”

    https://supportforums.cisco.com/t5/network-infrastructure-documents/how-to-configure-port-security-on-cisco-catalyst-switches-that/ta-p/3132907

  18. nataliya
    June 25th, 2018

    Question 5

    Which configuration do you apply to an interface so that it uses port security to learn and commit the first MAC address?
    A. Configure the switchport switch-port security violation restrict 1 command.
    B. Enable the sticky MAC addresses feature.
    C. Enable the static secure MAC addresses feature.
    D. Configure the switch for port-security aging type inactivity command.
    E. Configure the switchport port-security maximum 1 command.
    F. Disable the sticky MAC addresses feature.
    Answer: E

    Why E? By default there is already setteing for 1 MAC addrress, so we only need to configure sticky, so correct is B.

    https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/nxos/commands/l2/switchport-port-security-maximum.html

  19. patzen
    July 10th, 2018

    Q6
    A is correct:

    “A secure port and static MAC address configuration are mutually exclusive.”
    ref https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.pdf

    C according to the same document is also correct

    it seem that different platforms have different restrictions, the link below would provide different answers to the same question

    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SY/configuration/guide/sy_swcg/port_security.html#84716

  20. Baya005
    July 25th, 2018

    I agree with Ahmed B. Answer on Q9 should be D. Shutdown state is only state that sends SNMP trap.

  21. CCNA-AZ
    August 8th, 2018

    Q9.

    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/port_sec.html

    When configuring port security violation modes, note the following information:

    +protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.
    +restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.
    +shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification

    David Hucabi – CCNP Routing and Switching SWITCH 300-115 Official Cert Guide – 2014 (page 416)

    +Shutdown: The port immediately is put into the errdisable state, which effectively
    shuts it down. It must be reenabled manually or through errdisable recovery to be
    used again.
    +Restrict: The port is allowed to stay up, but all packets from violating MAC addresses
    are dropped. The switch keeps a running count of the number of violating packets
    and can send an SNMP trap and a syslog message as an alert of the violation.
    +Protect: The port is allowed to stay up, as in the restrict mode. Although packets
    from violating addresses are dropped, no record of the violation is kept.

    For Cisco doc – the answer is D;
    For David Hucabi – the answer is C;

    I think we had better take “C” as the book talks about General rules, but Cisco docs mainly focuses on specific device models.

  22. JJ
    September 12th, 2018

    Q9.

    https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/20ewa/configuration/guide/conf/port_sec.html

    •Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be controlled by the snmp-server enable traps port-security trap-rate command. The default value (“0”) causes an SNMP trap to be generated for every security violation.

    •Shutdown—A port security violation causes the interface to shut down immediately. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure_violation global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. This is the default mode.

    the answer is C

  23. csnavarro
    October 9th, 2018

    I agree with lalaversa, question number 10 very poorly formulated, I hope that questions like this don’t have on certification test.

  1. No trackbacks yet.